diff --git a/Changelog b/Changelog
index a9cac976..4fdeaea9 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,5 @@
+- Add policy patterns support macros. This changes the behavior of
+ the create_dir_perms and create_file_perms permission sets.
- Association polmatch MLS constraint making unlabeled_t an exception
is no longer needed, patch from Venkat Yekkirala.
- Context contains checking for PAM and cron from James Antill.
diff --git a/policy/modules/admin/acct.if b/policy/modules/admin/acct.if
index 831295ca..7fa62c3b 100644
--- a/policy/modules/admin/acct.if
+++ b/policy/modules/admin/acct.if
@@ -16,12 +16,7 @@ interface(`acct_domtrans',`
')
corecmd_search_sbin($1)
- domain_auto_trans($1,acct_exec_t,acct_t)
-
- allow $1 acct_t:fd use;
- allow acct_t $1:fd use;
- allow acct_t $1:fifo_file rw_file_perms;
- allow acct_t $1:process sigchld;
+ domtrans_pattern($1,acct_exec_t,acct_t)
')
########################################
@@ -80,7 +75,6 @@ interface(`acct_manage_data',`
')
files_search_var($1)
- allow $1 acct_data_t:dir rw_dir_perms;
- allow $1 acct_data_t:file create_file_perms;
- allow $1 acct_data_t:lnk_file create_lnk_perms;
+ manage_files_pattern($1,acct_data_t,acct_data_t)
+ manage_lnk_files_pattern($1,acct_data_t,acct_data_t)
')
diff --git a/policy/modules/admin/acct.te b/policy/modules/admin/acct.te
index 7d06f6b0..1e53451a 100644
--- a/policy/modules/admin/acct.te
+++ b/policy/modules/admin/acct.te
@@ -26,9 +26,8 @@ dontaudit acct_t self:capability { kill sys_tty_config };
allow acct_t self:fifo_file { read write getattr };
allow acct_t self:process signal_perms;
-allow acct_t acct_data_t:dir rw_dir_perms;
-allow acct_t acct_data_t:file create_file_perms;
-allow acct_t acct_data_t:lnk_file create_lnk_perms;
+manage_files_pattern(acct_t,acct_data_t,acct_data_t)
+manage_lnk_files_pattern(acct_t,acct_data_t,acct_data_t)
can_exec(acct_t,acct_exec_t)
@@ -98,4 +97,3 @@ optional_policy(`
optional_policy(`
udev_read_db(acct_t)
')
-
diff --git a/policy/modules/admin/alsa.if b/policy/modules/admin/alsa.if
index 0381c21b..791fdaaf 100644
--- a/policy/modules/admin/alsa.if
+++ b/policy/modules/admin/alsa.if
@@ -16,12 +16,7 @@ interface(`alsa_domtrans',`
type alsa_exec_t;
')
- domain_auto_trans($1, alsa_exec_t, alsa_t)
-
- allow $1 alsa_t:fd use;
- allow alsa_t $1:fd use;
- allow alsa_t $1:fifo_file rw_file_perms;
- allow alsa_t $1:process sigchld;
+ domtrans_pattern($1, alsa_exec_t, alsa_t)
')
########################################
@@ -75,7 +70,7 @@ interface(`alsa_read_rw_config',`
type alsa_etc_rw_t;
')
- allow $1 alsa_etc_rw_t:dir r_dir_perms;
- allow $1 alsa_etc_rw_t:file r_file_perms;
- allow $1 alsa_etc_rw_t:lnk_file { getattr read };
+ allow $1 alsa_etc_rw_t:dir list_dir_perms;
+ read_files_pattern($1,alsa_etc_rw_t,alsa_etc_rw_t)
+ read_lnk_files_pattern($1,alsa_etc_rw_t,alsa_etc_rw_t)
')
diff --git a/policy/modules/admin/alsa.te b/policy/modules/admin/alsa.te
index e93af953..d4f222c2 100644
--- a/policy/modules/admin/alsa.te
+++ b/policy/modules/admin/alsa.te
@@ -27,9 +27,8 @@ allow alsa_t self:shm create_shm_perms;
allow alsa_t self:unix_stream_socket create_stream_socket_perms;
allow alsa_t self:unix_dgram_socket create_socket_perms;
-allow alsa_t alsa_etc_rw_t:dir rw_dir_perms;
-allow alsa_t alsa_etc_rw_t:file create_file_perms;
-allow alsa_t alsa_etc_rw_t:lnk_file create_lnk_perms;
+manage_files_pattern(alsa_t,alsa_etc_rw_t,alsa_etc_rw_t)
+manage_lnk_files_pattern(alsa_t,alsa_etc_rw_t,alsa_etc_rw_t)
files_read_etc_files(alsa_t)
diff --git a/policy/modules/admin/amanda.if b/policy/modules/admin/amanda.if
index 318ce380..aa9d1932 100644
--- a/policy/modules/admin/amanda.if
+++ b/policy/modules/admin/amanda.if
@@ -15,12 +15,7 @@ interface(`amanda_domtrans_recover',`
type amanda_recover_t, amanda_recover_exec_t;
')
- domain_auto_trans($1,amanda_recover_exec_t,amanda_recover_t)
-
- allow $1 amanda_recover_t:fd use;
- allow amanda_recover_t $1:fd use;
- allow amanda_recover_t $1:fifo_file rw_file_perms;
- allow amanda_recover_t $1:process sigchld;
+ domtrans_pattern($1,amanda_recover_exec_t,amanda_recover_t)
')
########################################
@@ -70,7 +65,7 @@ interface(`amanda_search_lib',`
type amanda_usr_lib_t;
')
- allow $1 amanda_usr_lib_t:dir search;
+ allow $1 amanda_usr_lib_t:dir search_dir_perms;
files_search_usr($1)
')
@@ -144,7 +139,5 @@ interface(`amanda_append_log_files',`
type amanda_log_t;
')
- allow $1 amanda_log_t:file ra_file_perms;
+ allow $1 amanda_log_t:file { read_file_perms append_file_perms };
')
-
-
diff --git a/policy/modules/admin/amanda.te b/policy/modules/admin/amanda.te
index 7bbcc1b3..ad8a6c08 100644
--- a/policy/modules/admin/amanda.te
+++ b/policy/modules/admin/amanda.te
@@ -97,12 +97,12 @@ allow amanda_t amanda_gnutarlists_t:dir rw_dir_perms;
allow amanda_t amanda_gnutarlists_t:file manage_file_perms;
allow amanda_t amanda_gnutarlists_t:lnk_file manage_file_perms;
-allow amanda_t amanda_log_t:file create_file_perms;
-allow amanda_t amanda_log_t:dir manage_dir_perms;
+manage_files_pattern(amanda_t,amanda_log_t,amanda_log_t)
+manage_dirs_pattern(amanda_t,amanda_log_t,amanda_log_t)
logging_log_filetrans(amanda_t,amanda_log_t,{ file dir })
-allow amanda_t amanda_tmp_t:dir create_dir_perms;
-allow amanda_t amanda_tmp_t:file create_file_perms;
+manage_files_pattern(amanda_t,amanda_tmp_t,amanda_tmp_t)
+manage_dirs_pattern(amanda_t,amanda_tmp_t,amanda_tmp_t)
files_tmp_filetrans(amanda_t, amanda_tmp_t, { file dir })
kernel_read_system_state(amanda_t)
@@ -180,23 +180,22 @@ allow amanda_recover_t self:unix_stream_socket { connect create read write };
allow amanda_recover_t self:tcp_socket create_stream_socket_perms;
allow amanda_recover_t self:udp_socket create_socket_perms;
-allow amanda_recover_t amanda_log_t:dir rw_dir_perms;
-allow amanda_recover_t amanda_log_t:file manage_file_perms;
-allow amanda_recover_t amanda_log_t:lnk_file create_lnk_perms;
+manage_files_pattern(amanda_recover_t,amanda_log_t,amanda_log_t)
+manage_lnk_files_pattern(amanda_recover_t,amanda_log_t,amanda_log_t)
# access to amanda_recover_dir_t
-allow amanda_recover_t amanda_recover_dir_t:dir create_dir_perms;
-allow amanda_recover_t amanda_recover_dir_t:file create_file_perms;
-allow amanda_recover_t amanda_recover_dir_t:lnk_file create_lnk_perms;
-allow amanda_recover_t amanda_recover_dir_t:sock_file create_file_perms;
-allow amanda_recover_t amanda_recover_dir_t:fifo_file create_file_perms;
+manage_dirs_pattern(amanda_recover_t,amanda_recover_dir_t,amanda_recover_dir_t)
+manage_files_pattern(amanda_recover_t,amanda_recover_dir_t,amanda_recover_dir_t)
+manage_lnk_files_pattern(amanda_recover_t,amanda_recover_dir_t,amanda_recover_dir_t)
+manage_fifo_files_pattern(amanda_recover_t,amanda_recover_dir_t,amanda_recover_dir_t)
+manage_sock_files_pattern(amanda_recover_t,amanda_recover_dir_t,amanda_recover_dir_t)
userdom_sysadm_home_dir_filetrans(amanda_recover_t,amanda_recover_dir_t,{ dir file lnk_file sock_file fifo_file })
-allow amanda_recover_t amanda_tmp_t:dir create_dir_perms;
-allow amanda_recover_t amanda_tmp_t:file create_file_perms;
-allow amanda_recover_t amanda_tmp_t:lnk_file create_lnk_perms;
-allow amanda_recover_t amanda_tmp_t:sock_file create_file_perms;
-allow amanda_recover_t amanda_tmp_t:fifo_file create_file_perms;
+manage_dirs_pattern(amanda_recover_t,amanda_tmp_t,amanda_tmp_t)
+manage_files_pattern(amanda_recover_t,amanda_tmp_t,amanda_tmp_t)
+manage_lnk_files_pattern(amanda_recover_t,amanda_tmp_t,amanda_tmp_t)
+manage_fifo_files_pattern(amanda_recover_t,amanda_tmp_t,amanda_tmp_t)
+manage_sock_files_pattern(amanda_recover_t,amanda_tmp_t,amanda_tmp_t)
files_tmp_filetrans(amanda_recover_t,amanda_tmp_t,{ dir file lnk_file sock_file fifo_file })
kernel_read_system_state(amanda_recover_t)
diff --git a/policy/modules/admin/apt.if b/policy/modules/admin/apt.if
index 1f979940..13991f91 100644
--- a/policy/modules/admin/apt.if
+++ b/policy/modules/admin/apt.if
@@ -17,13 +17,7 @@ interface(`apt_domtrans',`
files_search_usr($1)
corecmd_search_bin($1)
- domain_auto_trans($1,apt_exec_t,apt_t)
-
- # allow basic communication
- allow $1 apt_t:fd use;
- allow apt_t $1:fd use;
- allow apt_t $1:fifo_file rw_file_perms;
- allow apt_t $1:process sigchld;
+ domtrans_pattern($1,apt_exec_t,apt_t)
')
########################################
@@ -92,7 +86,7 @@ interface(`apt_read_pipes',`
type apt_t;
')
- allow $1 apt_t:fifo_file r_file_perms;
+ allow $1 apt_t:fifo_file read_fifo_file_perms;
# TODO: enforce dpkg_read_pipes?
')
@@ -131,9 +125,9 @@ interface(`apt_read_db',`
')
files_search_var_lib($1)
- allow $1 apt_var_lib_t:dir r_dir_perms;
- allow $1 apt_var_lib_t:file { getattr read };
- allow $1 apt_var_lib_t:lnk_file r_file_perms;
+ allow $1 apt_var_lib_t:dir list_dir_perms;
+ read_files_pattern($1,apt_var_lib_t,apt_var_lib_t)
+ read_lnk_files_pattern($1,apt_var_lib_t,apt_var_lib_t)
')
########################################
@@ -152,9 +146,10 @@ interface(`apt_manage_db',`
')
files_search_var_lib($1)
- allow $1 apt_var_lib_t:dir rw_dir_perms;
- allow $1 apt_var_lib_t:file { getattr create read write append unlink };
- allow $1 apt_var_lib_t:lnk_file { getattr read write unlink };
+ manage_files_pattern($1,apt_var_lib_t,apt_var_lib_t)
+ # cjp: shouldnt this be manage_lnk_files?
+ rw_lnk_files_pattern($1,apt_var_lib_t,apt_var_lib_t)
+ delete_lnk_files_pattern($1,apt_var_lib_t,apt_var_lib_t)
')
########################################
@@ -174,6 +169,6 @@ interface(`apt_dontaudit_manage_db',`
')
dontaudit $1 apt_var_lib_t:dir rw_dir_perms;
- dontaudit $1 apt_var_lib_t:file create_file_perms;
- dontaudit $1 apt_var_lib_t:lnk_file create_lnk_perms;
+ dontaudit $1 apt_var_lib_t:file manage_file_perms;
+ dontaudit $1 apt_var_lib_t:lnk_file manage_lnk_perms;
')
diff --git a/policy/modules/admin/apt.te b/policy/modules/admin/apt.te
index ff92a03f..e0fa44a4 100644
--- a/policy/modules/admin/apt.te
+++ b/policy/modules/admin/apt.te
@@ -34,7 +34,7 @@ files_type(apt_var_cache_t)
allow apt_t self:capability { chown dac_override fowner fsetid };
allow apt_t self:process { signal setpgid fork };
allow apt_t self:fd use;
-allow apt_t self:fifo_file rw_file_perms;
+allow apt_t self:fifo_file rw_fifo_file_perms;
allow apt_t self:unix_dgram_socket create_socket_perms;
allow apt_t self:unix_stream_socket rw_stream_socket_perms;
allow apt_t self:unix_dgram_socket sendto;
@@ -47,24 +47,22 @@ allow apt_t self:msgq create_msgq_perms;
allow apt_t self:msg { send receive };
# Access /var/cache/apt files
-allow apt_t apt_var_cache_t:file create_file_perms;
-allow apt_t apt_var_cache_t:dir rw_dir_perms;
+manage_files_pattern(apt_t,apt_var_cache_t,apt_var_cache_t)
files_var_filetrans(apt_t,apt_var_cache_t,dir)
-allow apt_t apt_tmp_t:dir create_dir_perms;
-allow apt_t apt_tmp_t:file create_file_perms;
+manage_dirs_pattern(apt_t,apt_tmp_t,apt_tmp_t)
+manage_files_pattern(apt_t,apt_tmp_t,apt_tmp_t)
files_tmp_filetrans(apt_t, apt_tmp_t, { file dir })
-allow apt_t apt_tmpfs_t:dir create_dir_perms;
-allow apt_t apt_tmpfs_t:file create_file_perms;
-allow apt_t apt_tmpfs_t:lnk_file create_file_perms;
-allow apt_t apt_tmpfs_t:sock_file create_file_perms;
-allow apt_t apt_tmpfs_t:fifo_file create_file_perms;
+manage_dirs_pattern(apt_t,apt_tmpfs_t,apt_tmpfs_t)
+manage_files_pattern(apt_t,apt_tmpfs_t,apt_tmpfs_t)
+manage_lnk_files_pattern(apt_t,apt_tmpfs_t,apt_tmpfs_t)
+manage_fifo_files_pattern(apt_t,apt_tmpfs_t,apt_tmpfs_t)
+manage_sock_files_pattern(apt_t,apt_tmpfs_t,apt_tmpfs_t)
fs_tmpfs_filetrans(apt_t,apt_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
# Access /var/lib/apt files
-allow apt_t apt_var_lib_t:file create_file_perms;
-allow apt_t apt_var_lib_t:dir rw_dir_perms;
+manage_files_pattern(apt_t,apt_var_lib_t,apt_var_lib_t)
files_var_lib_filetrans(apt_t,apt_var_lib_t,dir)
kernel_read_system_state(apt_t)
diff --git a/policy/modules/admin/backup.if b/policy/modules/admin/backup.if
index 12098a25..87d1349e 100644
--- a/policy/modules/admin/backup.if
+++ b/policy/modules/admin/backup.if
@@ -15,10 +15,7 @@ interface(`backup_domtrans',`
type backup_t, backup_exec_t;
')
- domain_auto_trans($1,backup_exec_t,backup_t)
- allow backup_t $1:fd use;
- allow backup_t $1:fifo_file rw_file_perms;
- allow backup_t $1:process sigchld;
+ domtrans_pattern($1,backup_exec_t,backup_t)
')
########################################
diff --git a/policy/modules/admin/backup.te b/policy/modules/admin/backup.te
index 306cdb9b..277c49ae 100644
--- a/policy/modules/admin/backup.te
+++ b/policy/modules/admin/backup.te
@@ -22,13 +22,14 @@ files_type(backup_store_t)
allow backup_t self:capability dac_override;
allow backup_t self:process signal;
-allow backup_t self:fifo_file rw_file_perms;
+allow backup_t self:fifo_file rw_fifo_file_perms;
allow backup_t self:tcp_socket create_socket_perms;
allow backup_t self:udp_socket create_socket_perms;
-allow backup_t backup_store_t:dir ra_dir_perms;
-allow backup_t backup_store_t:file { create rw_file_perms setattr };
-allow backup_t backup_store_t:lnk_file { getattr read };
+allow backup_t backup_store_t:file setattr;
+create_files_pattern(backup_t,backup_store_t,backup_store_t)
+rw_files_pattern(backup_t,backup_store_t,backup_store_t)
+read_lnk_files_pattern(backup_t,backup_store_t,backup_store_t)
kernel_read_system_state(backup_t)
kernel_read_kernel_sysctls(backup_t)
diff --git a/policy/modules/admin/bootloader.if b/policy/modules/admin/bootloader.if
index 315882e1..57800cc7 100644
--- a/policy/modules/admin/bootloader.if
+++ b/policy/modules/admin/bootloader.if
@@ -15,12 +15,7 @@ interface(`bootloader_domtrans',`
type bootloader_t, bootloader_exec_t;
')
- domain_auto_trans($1, bootloader_exec_t, bootloader_t)
-
- allow $1 bootloader_t:fd use;
- allow bootloader_t $1:fd use;
- allow bootloader_t $1:fifo_file rw_file_perms;
- allow bootloader_t $1:process sigchld;
+ domtrans_pattern($1, bootloader_exec_t, bootloader_t)
')
########################################
@@ -53,7 +48,7 @@ interface(`bootloader_run',`
bootloader_domtrans($1)
role $2 types bootloader_t;
- allow bootloader_t $3:chr_file rw_file_perms;
+ allow bootloader_t $3:chr_file rw_term_perms;
')
########################################
@@ -71,7 +66,7 @@ interface(`bootloader_read_config',`
type bootloader_etc_t;
')
- allow $1 bootloader_etc_t:file r_file_perms;
+ allow $1 bootloader_etc_t:file read_file_perms;
')
########################################
@@ -127,10 +122,9 @@ interface(`bootloader_rw_tmp_files',`
#
interface(`bootloader_create_runtime_file',`
gen_require(`
- type boot_t, boot_runtime_t;
+ type boot_runtime_t;
')
- allow $1 boot_t:dir rw_dir_perms;
- allow $1 boot_runtime_t:file { rw_file_perms create unlink };
- type_transition $1 boot_t:file boot_runtime_t;
+ allow $1 boot_runtime_t:file { create_file_perms rw_file_perms };
+ files_boot_filetrans($1,boot_runtime_t,file)
')
diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
index 7668ee21..b5582c5c 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -50,18 +50,18 @@ logging_log_file(var_log_ksyms_t)
allow bootloader_t self:capability { dac_override dac_read_search fsetid sys_rawio sys_admin mknod chown };
allow bootloader_t self:process { sigkill sigstop signull signal execmem };
-allow bootloader_t self:fifo_file rw_file_perms;
+allow bootloader_t self:fifo_file rw_fifo_file_perms;
-allow bootloader_t bootloader_etc_t:file r_file_perms;
+allow bootloader_t bootloader_etc_t:file read_file_perms;
# uncomment the following lines if you use "lilo -p"
#allow bootloader_t bootloader_etc_t:file manage_file_perms;
#files_etc_filetrans(bootloader_t,bootloader_etc_t,file)
-allow bootloader_t bootloader_tmp_t:dir create_dir_perms;
-allow bootloader_t bootloader_tmp_t:file create_file_perms;
-allow bootloader_t bootloader_tmp_t:chr_file create_file_perms;
-allow bootloader_t bootloader_tmp_t:blk_file create_file_perms;
-allow bootloader_t bootloader_tmp_t:lnk_file create_lnk_perms;
+manage_dirs_pattern(bootloader_t,bootloader_tmp_t,bootloader_tmp_t)
+manage_files_pattern(bootloader_t,bootloader_tmp_t,bootloader_tmp_t)
+manage_lnk_files_pattern(bootloader_t,bootloader_tmp_t,bootloader_tmp_t)
+manage_blk_files_pattern(bootloader_t,bootloader_tmp_t,bootloader_tmp_t)
+manage_chr_files_pattern(bootloader_t,bootloader_tmp_t,bootloader_tmp_t)
files_tmp_filetrans(bootloader_t,bootloader_tmp_t,{ dir file lnk_file chr_file blk_file })
# for tune2fs (cjp: ?)
files_root_filetrans(bootloader_t,bootloader_tmp_t,file)
@@ -161,7 +161,7 @@ ifdef(`distro_redhat',`
allow bootloader_t self:capability ipc_lock;
# new file system defaults to file_t, granting file_t access is still bad.
- allow bootloader_t boot_runtime_t:file { r_file_perms unlink };
+ allow bootloader_t boot_runtime_t:file { read_file_perms unlink };
# mkinitrd mount initrd on bootloader temp dir
files_mountpoint(bootloader_tmp_t)
diff --git a/policy/modules/admin/certwatch.if b/policy/modules/admin/certwatch.if
index c5f9e2a7..88ea0ba0 100644
--- a/policy/modules/admin/certwatch.if
+++ b/policy/modules/admin/certwatch.if
@@ -17,12 +17,7 @@ interface(`certwatch_domtrans',`
files_search_usr($1)
corecmd_search_sbin($1)
- domain_auto_trans($1,certwatch_exec_t,certwatch_t)
-
- allow $1 certwatch_t:fd use;
- allow certwatch_t $1:fd use;
- allow certwatch_t $1:fifo_file rw_file_perms;
- allow certwatch_t $1:process sigchld;
+ domtrans_pattern($1,certwatch_exec_t,certwatch_t)
')
########################################
diff --git a/policy/modules/admin/consoletype.if b/policy/modules/admin/consoletype.if
index b7915405..665fab95 100644
--- a/policy/modules/admin/consoletype.if
+++ b/policy/modules/admin/consoletype.if
@@ -18,12 +18,7 @@ interface(`consoletype_domtrans',`
')
corecmd_search_sbin($1)
- domain_auto_trans($1,consoletype_exec_t,consoletype_t)
-
- allow $1 consoletype_t:fd use;
- allow consoletype_t $1:fd use;
- allow consoletype_t $1:fifo_file rw_file_perms;
- allow consoletype_t $1:process sigchld;
+ domtrans_pattern($1,consoletype_exec_t,consoletype_t)
')
########################################
diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te
index dc641ee7..d111d6e0 100644
--- a/policy/modules/admin/consoletype.te
+++ b/policy/modules/admin/consoletype.te
@@ -25,8 +25,8 @@ ifdef(`targeted_policy',`',`
allow consoletype_t self:capability sys_admin;
allow consoletype_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow consoletype_t self:fd use;
-allow consoletype_t self:fifo_file rw_file_perms;
-allow consoletype_t self:sock_file r_file_perms;
+allow consoletype_t self:fifo_file rw_fifo_file_perms;
+allow consoletype_t self:sock_file read_sock_file_perms;
allow consoletype_t self:unix_dgram_socket create_socket_perms;
allow consoletype_t self:unix_stream_socket create_stream_socket_perms;
allow consoletype_t self:unix_dgram_socket sendto;
diff --git a/policy/modules/admin/ddcprobe.if b/policy/modules/admin/ddcprobe.if
index 8a7ea14b..e3ea6cc6 100644
--- a/policy/modules/admin/ddcprobe.if
+++ b/policy/modules/admin/ddcprobe.if
@@ -15,12 +15,7 @@ interface(`ddcprobe_domtrans',`
type ddcprobe_t, ddcprobe_exec_t;
')
- domain_auto_trans($1,ddcprobe_exec_t,ddcprobe_t)
-
- allow $1 ddcprobe_t:fd use;
- allow ddcprobe_t $1:fd use;
- allow ddcprobe_t $1:fifo_file rw_file_perms;
- allow ddcprobe_t $1:process sigchld;
+ domtrans_pattern($1,ddcprobe_exec_t,ddcprobe_t)
')
########################################
diff --git a/policy/modules/admin/dpkg.if b/policy/modules/admin/dpkg.if
index b4dcfc4b..99bffc83 100644
--- a/policy/modules/admin/dpkg.if
+++ b/policy/modules/admin/dpkg.if
@@ -19,13 +19,7 @@ interface(`dpkg_domtrans',`
files_search_usr($1)
corecmd_search_bin($1)
- domain_auto_trans($1,dpkg_exec_t,dpkg_t)
-
- # allow basic communication
- allow $1 dpkg_t:fd use;
- allow dpkg_t $1:fd use;
- allow dpkg_t $1:fifo_file rw_file_perms;
- allow dpkg_t $1:process sigchld;
+ domtrans_pattern($1,dpkg_exec_t,dpkg_t)
')
########################################
@@ -45,8 +39,6 @@ interface(`dpkg_domtrans_script',`
# transition to dpkg script:
corecmd_shell_domtrans($1,dpkg_script_t)
-
- allow $1 dpkg_script_t:fd use;
allow dpkg_script_t $1:fd use;
allow dpkg_script_t $1:fifo_file rw_file_perms;
allow dpkg_script_t $1:process sigchld;
@@ -118,7 +110,7 @@ interface(`dpkg_read_pipes',`
type dpkg_t;
')
- allow $1 dpkg_t:fifo_file r_file_perms;
+ allow $1 dpkg_t:fifo_file read_fifo_file_perms;
')
########################################
@@ -136,7 +128,7 @@ interface(`dpkg_rw_pipes',`
type dpkg_t;
')
- allow $1 dpkg_t:fifo_file rw_file_perms;
+ allow $1 dpkg_t:fifo_file rw_fifo_file_perms;
')
########################################
@@ -173,9 +165,9 @@ interface(`dpkg_read_db',`
')
files_search_var_lib($1)
- allow $1 dpkg_var_lib_t:dir r_dir_perms;
- allow $1 dpkg_var_lib_t:file { getattr read };
- allow $1 dpkg_var_lib_t:lnk_file r_file_perms;
+ allow $1 dpkg_var_lib_t:dir list_dir_perms;
+ read_files_pattern($1,dpkg_var_lib_t,dpkg_var_lib_t)
+ read_lnk_files_pattern($1,dpkg_var_lib_t,dpkg_var_lib_t)
')
########################################
@@ -194,9 +186,8 @@ interface(`dpkg_manage_db',`
')
files_search_var_lib($1)
- allow $1 dpkg_var_lib_t:dir rw_dir_perms;
- allow $1 dpkg_var_lib_t:file manage_file_perms;
- allow $1 dpkg_var_lib_t:lnk_file { getattr read write unlink };
+ manage_files_pattern($1,dpkg_var_lib_t,dpkg_var_lib_t)
+ manage_lnk_files_pattern($1,dpkg_var_lib_t,dpkg_var_lib_t)
')
########################################
@@ -217,7 +208,7 @@ interface(`dpkg_dontaudit_manage_db',`
dontaudit $1 dpkg_var_lib_t:dir rw_dir_perms;
dontaudit $1 dpkg_var_lib_t:file manage_file_perms;
- dontaudit $1 dpkg_var_lib_t:lnk_file create_lnk_perms;
+ dontaudit $1 dpkg_var_lib_t:lnk_file manage_lnk_file_perms;
')
########################################
@@ -236,6 +227,6 @@ interface(`dpkg_lock_db',`
')
files_search_var_lib($1)
- allow $1 dpkg_var_lib_t:dir r_dir_perms;
+ allow $1 dpkg_var_lib_t:dir list_dir_perms;
allow $1 dpkg_lock_t:file { getattr create read write append unlink lock };
')
diff --git a/policy/modules/admin/dpkg.te b/policy/modules/admin/dpkg.te
index ce31e225..5b506cf2 100644
--- a/policy/modules/admin/dpkg.te
+++ b/policy/modules/admin/dpkg.te
@@ -55,7 +55,7 @@ files_tmpfs_file(dpkg_script_tmpfs_t)
allow dpkg_t self:capability { chown dac_override fowner fsetid setgid setuid kill sys_tty_config sys_nice sys_resource mknod linux_immutable };
allow dpkg_t self:process { setpgid fork getsched setfscreate };
allow dpkg_t self:fd use;
-allow dpkg_t self:fifo_file rw_file_perms;
+allow dpkg_t self:fifo_file rw_fifo_file_perms;
allow dpkg_t self:unix_dgram_socket create_socket_perms;
allow dpkg_t self:unix_stream_socket rw_stream_socket_perms;
allow dpkg_t self:unix_dgram_socket sendto;
@@ -69,20 +69,19 @@ allow dpkg_t self:msg { send receive };
allow dpkg_t dpkg_lock_t:file manage_file_perms;
-allow dpkg_t dpkg_tmp_t:dir manage_dir_perms;
-allow dpkg_t dpkg_tmp_t:file manage_file_perms;
+manage_dirs_pattern(dpkg_t,dpkg_tmp_t,dpkg_tmp_t)
+manage_files_pattern(dpkg_t,dpkg_tmp_t,dpkg_tmp_t)
files_tmp_filetrans(dpkg_t, dpkg_tmp_t, { file dir })
-allow dpkg_t dpkg_tmpfs_t:dir manage_dir_perms;
-allow dpkg_t dpkg_tmpfs_t:file manage_file_perms;
-allow dpkg_t dpkg_tmpfs_t:lnk_file manage_file_perms;
-allow dpkg_t dpkg_tmpfs_t:sock_file manage_file_perms;
-allow dpkg_t dpkg_tmpfs_t:fifo_file manage_file_perms;
+manage_dirs_pattern(dpkg_t,dpkg_tmpfs_t,dpkg_tmpfs_t)
+manage_files_pattern(dpkg_t,dpkg_tmpfs_t,dpkg_tmpfs_t)
+manage_lnk_files_pattern(dpkg_t,dpkg_tmpfs_t,dpkg_tmpfs_t)
+manage_sock_files_pattern(dpkg_t,dpkg_tmpfs_t,dpkg_tmpfs_t)
+manage_fifo_files_pattern(dpkg_t,dpkg_tmpfs_t,dpkg_tmpfs_t)
fs_tmpfs_filetrans(dpkg_t,dpkg_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
# Access /var/lib/dpkg files
-allow dpkg_t dpkg_var_lib_t:file manage_file_perms;
-allow dpkg_t dpkg_var_lib_t:dir rw_dir_perms;
+manage_files_pattern(dpkg_t,dpkg_var_lib_t,dpkg_var_lib_t)
files_var_lib_filetrans(dpkg_t,dpkg_var_lib_t,dir)
kernel_read_system_state(dpkg_t)
diff --git a/policy/modules/admin/firstboot.if b/policy/modules/admin/firstboot.if
index 266e43d9..d55f6ddc 100644
--- a/policy/modules/admin/firstboot.if
+++ b/policy/modules/admin/firstboot.if
@@ -18,12 +18,7 @@ interface(`firstboot_domtrans',`
type firstboot_t, firstboot_exec_t;
')
- domain_auto_trans($1,firstboot_exec_t,firstboot_t)
-
- allow $1 firstboot_t:fd use;
- allow firstboot_t $1:fd use;
- allow firstboot_t $1:fifo_file rw_file_perms;
- allow firstboot_t $1:process sigchld;
+ domtrans_pattern($1,firstboot_exec_t,firstboot_t)
')
########################################
diff --git a/policy/modules/admin/kudzu.if b/policy/modules/admin/kudzu.if
index 8d102854..06f4c118 100644
--- a/policy/modules/admin/kudzu.if
+++ b/policy/modules/admin/kudzu.if
@@ -15,12 +15,7 @@ interface(`kudzu_domtrans',`
type kudzu_t, kudzu_exec_t;
')
- domain_auto_trans($1,kudzu_exec_t,kudzu_t)
-
- allow $1 kudzu_t:fd use;
- allow kudzu_t $1:fd use;
- allow kudzu_t $1:fifo_file rw_file_perms;
- allow kudzu_t $1:process sigchld;
+ domtrans_pattern($1,kudzu_exec_t,kudzu_t)
')
########################################
diff --git a/policy/modules/admin/kudzu.te b/policy/modules/admin/kudzu.te
index 7a49ddd8..187cb03c 100644
--- a/policy/modules/admin/kudzu.te
+++ b/policy/modules/admin/kudzu.te
@@ -24,17 +24,18 @@ files_pid_file(kudzu_var_run_t)
allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod };
dontaudit kudzu_t self:capability sys_tty_config;
allow kudzu_t self:process { signal_perms execmem };
-allow kudzu_t self:fifo_file rw_file_perms;
+allow kudzu_t self:fifo_file rw_fifo_file_perms;
allow kudzu_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow kudzu_t self:unix_dgram_socket create_socket_perms;
allow kudzu_t self:udp_socket { create ioctl };
-allow kudzu_t kudzu_tmp_t:dir create_file_perms;
-allow kudzu_t kudzu_tmp_t:{ file chr_file } create_file_perms;
+manage_dirs_pattern(kudzu_t,kudzu_tmp_t,kudzu_tmp_t)
+manage_files_pattern(kudzu_t,kudzu_tmp_t,kudzu_tmp_t)
+manage_chr_files_pattern(kudzu_t,kudzu_tmp_t,kudzu_tmp_t)
files_tmp_filetrans(kudzu_t, kudzu_tmp_t, { file dir chr_file })
-allow kudzu_t kudzu_var_run_t:file create_file_perms;
-allow kudzu_t kudzu_var_run_t:dir create_dir_perms;
+manage_dirs_pattern(kudzu_t,kudzu_var_run_t,kudzu_var_run_t)
+manage_files_pattern(kudzu_t,kudzu_var_run_t,kudzu_var_run_t)
files_pid_filetrans(kudzu_t,kudzu_var_run_t,file)
kernel_change_ring_buffer_level(kudzu_t)
diff --git a/policy/modules/admin/logrotate.if b/policy/modules/admin/logrotate.if
index 480120ce..f9efabda 100644
--- a/policy/modules/admin/logrotate.if
+++ b/policy/modules/admin/logrotate.if
@@ -15,12 +15,7 @@ interface(`logrotate_domtrans',`
type logrotate_t, logrotate_exec_t;
')
- domain_auto_trans($1,logrotate_exec_t,logrotate_t)
-
- allow $1 logrotate_t:fd use;
- allow logrotate_t $1:fd use;
- allow logrotate_t $1:fifo_file rw_file_perms;
- allow logrotate_t $1:process sigchld;
+ domtrans_pattern($1,logrotate_exec_t,logrotate_t)
')
########################################
@@ -125,5 +120,5 @@ interface(`logrotate_read_tmp_files',`
')
files_search_tmp($1)
- allow $1 logrotate_tmp_t:file r_file_perms;
+ allow $1 logrotate_tmp_t:file read_file_perms;
')
diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te
index fdd44036..ebd7e452 100644
--- a/policy/modules/admin/logrotate.te
+++ b/policy/modules/admin/logrotate.te
@@ -40,7 +40,7 @@ allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimi
allow logrotate_t self:process setfscreate;
allow logrotate_t self:fd use;
-allow logrotate_t self:fifo_file rw_file_perms;
+allow logrotate_t self:fifo_file rw_fifo_file_perms;
allow logrotate_t self:unix_dgram_socket create_socket_perms;
allow logrotate_t self:unix_stream_socket create_stream_socket_perms;
allow logrotate_t self:unix_dgram_socket sendto;
@@ -50,18 +50,18 @@ allow logrotate_t self:sem create_sem_perms;
allow logrotate_t self:msgq create_msgq_perms;
allow logrotate_t self:msg { send receive };
-allow logrotate_t logrotate_lock_t:file create_file_perms;
+allow logrotate_t logrotate_lock_t:file manage_file_perms;
files_lock_filetrans(logrotate_t,logrotate_lock_t,file)
can_exec(logrotate_t, logrotate_tmp_t)
-allow logrotate_t logrotate_tmp_t:dir create_dir_perms;
-allow logrotate_t logrotate_tmp_t:file create_file_perms;
+manage_dirs_pattern(logrotate_t,logrotate_tmp_t,logrotate_tmp_t)
+manage_files_pattern(logrotate_t,logrotate_tmp_t,logrotate_tmp_t)
files_tmp_filetrans(logrotate_t, logrotate_tmp_t, { file dir })
# for /var/lib/logrotate.status and /var/lib/logcheck
-allow logrotate_t logrotate_var_lib_t:dir { create rw_dir_perms };
-allow logrotate_t logrotate_var_lib_t:file create_file_perms;
+create_dirs_pattern(logrotate_t,logrotate_var_lib_t,logrotate_var_lib_t)
+manage_files_pattern(logrotate_t,logrotate_var_lib_t,logrotate_var_lib_t)
files_var_lib_filetrans(logrotate_t, logrotate_var_lib_t, file)
kernel_read_system_state(logrotate_t)
diff --git a/policy/modules/admin/logwatch.if b/policy/modules/admin/logwatch.if
index 5dd8bdf7..d878e752 100644
--- a/policy/modules/admin/logwatch.if
+++ b/policy/modules/admin/logwatch.if
@@ -16,7 +16,7 @@ interface(`logwatch_read_tmp_files',`
')
files_search_tmp($1)
- allow $1 logwatch_tmp_t:file r_file_perms;
+ allow $1 logwatch_tmp_t:file read_file_perms;
')
########################################
@@ -34,5 +34,5 @@ interface(`logwatch_search_cache_dir',`
type logwatch_cache_t;
')
- allow $1 logwatch_cache_t:dir search;
+ allow $1 logwatch_cache_t:dir search_dir_perms;
')
diff --git a/policy/modules/admin/logwatch.te b/policy/modules/admin/logwatch.te
index a964e04a..9627ca99 100644
--- a/policy/modules/admin/logwatch.te
+++ b/policy/modules/admin/logwatch.te
@@ -31,14 +31,14 @@ allow logwatch_t self:process signal;
allow logwatch_t self:fifo_file rw_file_perms;
allow logwatch_t self:unix_stream_socket create_stream_socket_perms;
-allow logwatch_t logwatch_cache_t:dir create_dir_perms;
-allow logwatch_t logwatch_cache_t:file create_file_perms;
+manage_dirs_pattern(logwatch_t,logwatch_cache_t,logwatch_cache_t)
+manage_files_pattern(logwatch_t,logwatch_cache_t,logwatch_cache_t)
allow logwatch_t logwatch_lock_t:file manage_file_perms;
files_lock_filetrans(logwatch_t,logwatch_lock_t,file)
-allow logwatch_t logwatch_tmp_t:dir create_dir_perms;
-allow logwatch_t logwatch_tmp_t:file create_file_perms;
+manage_dirs_pattern(logwatch_t,logwatch_tmp_t,logwatch_tmp_t)
+manage_files_pattern(logwatch_t,logwatch_tmp_t,logwatch_tmp_t)
files_tmp_filetrans(logwatch_t, logwatch_tmp_t, { file dir })
kernel_read_fs_sysctls(logwatch_t)
diff --git a/policy/modules/admin/mrtg.if b/policy/modules/admin/mrtg.if
index fab860bb..b82864f5 100644
--- a/policy/modules/admin/mrtg.if
+++ b/policy/modules/admin/mrtg.if
@@ -14,6 +14,7 @@ interface(`mrtg_append_create_logs',`
gen_require(`
type mrtg_log_t;
')
- allow $1 mrtg_log_t:dir rw_dir_perms;
- allow $1 mrtg_log_t:file { create append getattr };
+
+ append_files_pattern($1,mrtg_log_t,mrtg_log_t)
+ create_files_pattern($1,mrtg_log_t,mrtg_log_t)
')
diff --git a/policy/modules/admin/mrtg.te b/policy/modules/admin/mrtg.te
index 2c536387..6dc3ac34 100644
--- a/policy/modules/admin/mrtg.te
+++ b/policy/modules/admin/mrtg.te
@@ -38,31 +38,24 @@ allow mrtg_t self:unix_stream_socket create_socket_perms;
allow mrtg_t self:tcp_socket create_socket_perms;
allow mrtg_t self:udp_socket create_socket_perms;
-allow mrtg_t mrtg_etc_t:file r_file_perms;
-allow mrtg_t mrtg_etc_t:dir r_dir_perms;
-allow mrtg_t mrtg_etc_t:lnk_file { getattr read };
-files_search_etc(mrtg_t)
+allow mrtg_t mrtg_etc_t:dir list_dir_perms;
+read_files_pattern(mrtg_t,mrtg_etc_t,mrtg_etc_t)
+read_lnk_files_pattern(mrtg_t,mrtg_etc_t,mrtg_etc_t)
+dontaudit mrtg_t mrtg_etc_t:dir write;
+dontaudit mrtg_t mrtg_etc_t:file { write ioctl };
-allow mrtg_t mrtg_lock_t:dir rw_dir_perms;
-allow mrtg_t mrtg_lock_t:file create_file_perms;
-allow mrtg_t mrtg_lock_t:lnk_file create_lnk_perms;
+manage_files_pattern(mrtg_t,mrtg_lock_t,mrtg_lock_t)
+manage_lnk_files_pattern(mrtg_t,mrtg_lock_t,mrtg_lock_t)
-allow mrtg_t mrtg_log_t:file create_file_perms;
-allow mrtg_t mrtg_log_t:dir rw_dir_perms;
+manage_files_pattern(mrtg_t,mrtg_log_t,mrtg_log_t)
logging_log_filetrans(mrtg_t,mrtg_log_t,{ file dir })
-allow mrtg_t mrtg_var_lib_t:dir rw_dir_perms;
-allow mrtg_t mrtg_var_lib_t:file create_file_perms;
-allow mrtg_t mrtg_var_lib_t:lnk_file create_lnk_perms;
+manage_files_pattern(mrtg_t,mrtg_var_lib_t,mrtg_var_lib_t)
+manage_lnk_files_pattern(mrtg_t,mrtg_var_lib_t,mrtg_var_lib_t)
allow mrtg_t mrtg_var_run_t:file manage_file_perms;
files_pid_filetrans(mrtg_t,mrtg_var_run_t,file)
-# read config files
-dontaudit mrtg_t mrtg_etc_t:dir write;
-dontaudit mrtg_t mrtg_etc_t:file { write ioctl };
-files_read_etc_files(mrtg_t)
-
kernel_read_system_state(mrtg_t)
kernel_read_network_state(mrtg_t)
kernel_read_kernel_sysctls(mrtg_t)
@@ -94,6 +87,8 @@ files_search_spool(mrtg_t)
files_getattr_tmp_dirs(mrtg_t)
# for uptime
files_read_etc_runtime_files(mrtg_t)
+# read config files
+files_read_etc_files(mrtg_t)
fs_search_auto_mountpoints(mrtg_t)
fs_getattr_xattr_fs(mrtg_t)
@@ -127,9 +122,8 @@ ifdef(`enable_mls',`
')
ifdef(`distro_redhat',`
- allow mrtg_t mrtg_etc_t:dir rw_dir_perms;
- allow mrtg_t mrtg_lock_t:file create_file_perms;
- type_transition mrtg_t mrtg_etc_t:file mrtg_lock_t;
+ allow mrtg_t mrtg_lock_t:file manage_file_perms;
+ filetrans_pattern(mrtg_t,mrtg_etc_t,mrtg_lock_t,file)
')
ifdef(`targeted_policy',`
diff --git a/policy/modules/admin/netutils.if b/policy/modules/admin/netutils.if
index e562e6df..3025d026 100644
--- a/policy/modules/admin/netutils.if
+++ b/policy/modules/admin/netutils.if
@@ -15,12 +15,7 @@ interface(`netutils_domtrans',`
type netutils_t, netutils_exec_t;
')
- domain_auto_trans($1,netutils_exec_t,netutils_t)
-
- allow $1 netutils_t:fd use;
- allow netutils_t $1:fd use;
- allow netutils_t $1:fifo_file rw_file_perms;
- allow netutils_t $1:process sigchld;
+ domtrans_pattern($1,netutils_exec_t,netutils_t)
')
########################################
@@ -88,12 +83,7 @@ interface(`netutils_domtrans_ping',`
type ping_t, ping_exec_t;
')
- domain_auto_trans($1,ping_exec_t,ping_t)
-
- allow $1 ping_t:fd use;
- allow ping_t $1:fd use;
- allow ping_t $1:fifo_file rw_file_perms;
- allow ping_t $1:process sigchld;
+ domtrans_pattern($1,ping_exec_t,ping_t)
')
########################################
@@ -233,12 +223,7 @@ interface(`netutils_domtrans_traceroute',`
type traceroute_t, traceroute_exec_t;
')
- domain_auto_trans($1,traceroute_exec_t,traceroute_t)
-
- allow $1 traceroute_t:fd use;
- allow traceroute_t $1:fd use;
- allow traceroute_t $1:fifo_file rw_file_perms;
- allow traceroute_t $1:process sigchld;
+ domtrans_pattern($1,traceroute_exec_t,traceroute_t)
')
########################################
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index c5443224..bd0f354e 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -37,8 +37,8 @@ allow netutils_t self:packet_socket create_socket_perms;
allow netutils_t self:udp_socket create_socket_perms;
allow netutils_t self:tcp_socket create_stream_socket_perms;
-allow netutils_t netutils_tmp_t:dir create_dir_perms;
-allow netutils_t netutils_tmp_t:file create_file_perms;
+manage_dirs_pattern(netutils_t,netutils_tmp_t,netutils_tmp_t)
+manage_files_pattern(netutils_t,netutils_tmp_t,netutils_tmp_t)
files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir })
kernel_search_proc(netutils_t)
@@ -98,7 +98,6 @@ optional_policy(`
allow ping_t self:capability { setuid net_raw };
dontaudit ping_t self:capability sys_tty_config;
-
allow ping_t self:tcp_socket create_socket_perms;
allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
allow ping_t self:packet_socket { create ioctl read write bind getopt setopt };
@@ -120,11 +119,11 @@ files_dontaudit_search_var(ping_t)
libs_use_ld_so(ping_t)
libs_use_shared_libs(ping_t)
+logging_send_syslog_msg(ping_t)
+
sysnet_read_config(ping_t)
sysnet_dns_name_resolve(ping_t)
-logging_send_syslog_msg(ping_t)
-
ifdef(`hide_broken_symptoms',`
init_dontaudit_use_fds(ping_t)
')
diff --git a/policy/modules/admin/portage.if b/policy/modules/admin/portage.if
index e343df2a..b4bde15d 100644
--- a/policy/modules/admin/portage.if
+++ b/policy/modules/admin/portage.if
@@ -28,10 +28,7 @@ interface(`portage_domtrans',`
allow portage_t $1:process sigchld;
# transition to portage
- domain_auto_trans($1,portage_exec_t,portage_t.merge)
- allow portage_t.merge $1:fd use;
- allow portage_t.merge $1:fifo_file rw_file_perms;
- allow portage_t.merge $1:process sigchld;
+ domtrans_pattern($1,portage_exec_t,portage_t.merge)
')
########################################
@@ -102,7 +99,7 @@ interface(`portage_compile_domain',`
allow $1 self:process { setpgid setsched setrlimit signal_perms execmem };
allow $1 self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow $1 self:fd use;
- allow $1 self:fifo_file rw_file_perms;
+ allow $1 self:fifo_file rw_fifo_file_perms;
allow $1 self:shm create_shm_perms;
allow $1 self:sem create_sem_perms;
allow $1 self:msgq create_msgq_perms;
@@ -120,7 +117,7 @@ interface(`portage_compile_domain',`
allow $1 self:netlink_selinux_socket { bind create read };
allow $1 self:dbus send_msg;
- allow $1 portage_devpts_t:chr_file { rw_file_perms setattr };
+ allow $1 portage_devpts_t:chr_file { rw_chr_file_perms setattr };
term_create_pty($1,portage_devpts_t)
# write compile logs
@@ -130,18 +127,17 @@ interface(`portage_compile_domain',`
# run scripts out of the build directory
can_exec(portage_sandbox_t,portage_tmp_t)
- allow $1 portage_tmp_t:dir manage_dir_perms;
- allow $1 portage_tmp_t:file manage_file_perms;
- allow $1 portage_tmp_t:lnk_file create_lnk_perms;
- allow $1 portage_tmp_t:fifo_file manage_file_perms;
- allow $1 portage_tmp_t:sock_file manage_file_perms;
+ manage_dirs_pattern($1,portage_tmp_t,portage_tmp_t)
+ manage_files_pattern($1,portage_tmp_t,portage_tmp_t)
+ manage_lnk_files_pattern($1,portage_tmp_t,portage_tmp_t)
+ manage_fifo_files_pattern($1,portage_tmp_t,portage_tmp_t)
+ manage_sock_files_pattern($1,portage_tmp_t,portage_tmp_t)
files_tmp_filetrans($1,portage_tmp_t,{ dir file lnk_file sock_file fifo_file })
- allow $1 portage_tmpfs_t:dir rw_dir_perms;
- allow $1 portage_tmpfs_t:file manage_file_perms;
- allow $1 portage_tmpfs_t:lnk_file create_lnk_perms;
- allow $1 portage_tmpfs_t:sock_file manage_file_perms;
- allow $1 portage_tmpfs_t:fifo_file manage_file_perms;
+ manage_files_pattern($1,portage_tmpfs_t,portage_tmpfs_t)
+ manage_lnk_files_pattern($1,portage_tmpfs_t,portage_tmpfs_t)
+ manage_fifo_files_pattern($1,portage_tmpfs_t,portage_tmpfs_t)
+ manage_sock_files_pattern($1,portage_tmpfs_t,portage_tmpfs_t)
fs_tmpfs_filetrans($1,portage_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
kernel_read_system_state($1)
@@ -229,13 +225,13 @@ interface(`portage_fetch_domain',`
allow $1 self:tcp_socket create_stream_socket_perms;
allow $1 portage_conf_t:dir list_dir_perms;
- allow $1 portage_conf_t:file read_file_perms;
+ read_files_pattern($1,portage_conf_t,portage_conf_t)
- allow $1 portage_ebuild_t:dir manage_dir_perms;
- allow $1 portage_ebuild_t:file manage_file_perms;
+ manage_dirs_pattern($1,portage_ebuild_t,portage_ebuild_t)
+ manage_files_pattern($1,portage_ebuild_t,portage_ebuild_t)
- allow $1 portage_fetch_tmp_t:dir manage_dir_perms;
- allow $1 portage_fetch_tmp_t:file manage_file_perms;
+ manage_dirs_pattern($1,portage_fetch_tmp_t,portage_fetch_tmp_t)
+ manage_files_pattern($1,portage_fetch_tmp_t,portage_fetch_tmp_t)
# portage makes home dir the portage tmp dir, so
# wget looks for .wgetrc there
@@ -302,7 +298,7 @@ interface(`portage_main_domain',`
# performed in the main domain
portage_compile_domain($1)
- allow $1 portage_log_t:file create_file_perms;
+ allow $1 portage_log_t:file manage_file_perms;
logging_log_filetrans($1,portage_log_t,file)
# run scripts out of the build directory
@@ -371,10 +367,7 @@ interface(`portage_domtrans_gcc_config',`
files_search_usr($1)
corecmd_search_bin($1)
- domain_auto_trans($1,gcc_config_exec_t,gcc_config_t)
- allow gcc_config_t $1:fd use;
- allow gcc_config_t $1:fifo_file rw_file_perms;
- allow gcc_config_t $1:process sigchld;
+ domtrans_pattern($1,gcc_config_exec_t,gcc_config_t)
')
########################################
diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
index 1523fad9..8b1e5f26 100644
--- a/policy/modules/admin/portage.te
+++ b/policy/modules/admin/portage.te
@@ -75,14 +75,12 @@ files_tmpfs_file(portage_tmpfs_t)
allow gcc_config_t self:capability { chown fsetid };
allow gcc_config_t self:fifo_file rw_file_perms;
-allow gcc_config_t portage_cache_t:dir rw_dir_perms;
-allow gcc_config_t portage_cache_t:file create_file_perms;
+manage_files_pattern(gcc_config_t,portage_cache_t,portage_cache_t)
-allow gcc_config_t portage_conf_t:dir search_dir_perms;
-allow gcc_config_t portage_conf_t:file read_file_perms;
+read_files_pattern(gcc_config_t,portage_conf_t,portage_conf_t)
allow gcc_config_t portage_ebuild_t:dir list_dir_perms;
-allow gcc_config_t portage_ebuild_t:file read_file_perms;
+read_files_pattern(gcc_config_t,portage_ebuild_t,portage_ebuild_t)
allow gcc_config_t portage_exec_t:file { execute getattr };
diff --git a/policy/modules/admin/prelink.if b/policy/modules/admin/prelink.if
index 28052a33..406b4891 100644
--- a/policy/modules/admin/prelink.if
+++ b/policy/modules/admin/prelink.if
@@ -16,12 +16,7 @@ interface(`prelink_domtrans',`
')
corecmd_search_sbin($1)
- domain_auto_trans($1, prelink_exec_t, prelink_t)
-
- allow $1 prelink_t:fd use;
- allow prelink_t $1:fd use;
- allow prelink_t $1:fifo_file rw_file_perms;
- allow prelink_t $1:process sigchld;
+ domtrans_pattern($1, prelink_exec_t, prelink_t)
')
########################################
@@ -98,6 +93,5 @@ interface(`prelink_manage_log',`
')
logging_search_logs($1)
- allow $1 prelink_log_t:dir rw_dir_perms;
- allow $1 prelink_log_t:file create_file_perms;
+ manage_files_pattern($1,prelink_log_t,prelink_log_t)
')
diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te
index ccec1e2a..d6244fb7 100644
--- a/policy/modules/admin/prelink.te
+++ b/policy/modules/admin/prelink.te
@@ -25,20 +25,21 @@ logging_log_file(prelink_log_t)
allow prelink_t self:capability { chown dac_override fowner fsetid };
allow prelink_t self:process { execheap execmem execstack signal };
-allow prelink_t self:fifo_file rw_file_perms;
+allow prelink_t self:fifo_file rw_fifo_file_perms;
allow prelink_t prelink_cache_t:file manage_file_perms;
files_etc_filetrans(prelink_t, prelink_cache_t, file)
files_var_lib_filetrans(prelink_t, prelink_cache_t, file)
-allow prelink_t prelink_log_t:dir { setattr rw_dir_perms };
-allow prelink_t prelink_log_t:file { create ra_file_perms };
-allow prelink_t prelink_log_t:lnk_file read;
+allow prelink_t prelink_log_t:dir setattr;
+create_files_pattern(prelink_t,prelink_log_t,prelink_log_t)
+append_files_pattern(prelink_t,prelink_log_t,prelink_log_t)
+read_lnk_files_pattern(prelink_t,prelink_log_t,prelink_log_t)
logging_log_filetrans(prelink_t, prelink_log_t, file)
# prelink misc objects that are not system
# libraries or entrypoints
-allow prelink_t prelink_object:file { create_file_perms execute relabelto relabelfrom };
+allow prelink_t prelink_object:file { manage_file_perms execute relabelto relabelfrom };
kernel_read_system_state(prelink_t)
kernel_dontaudit_search_kernel_sysctl(prelink_t)
diff --git a/policy/modules/admin/quota.if b/policy/modules/admin/quota.if
index 1e954d05..9f4618ed 100644
--- a/policy/modules/admin/quota.if
+++ b/policy/modules/admin/quota.if
@@ -15,12 +15,7 @@ interface(`quota_domtrans',`
type quota_t, quota_exec_t;
')
- domain_auto_trans($1,quota_exec_t,quota_t)
-
- allow $1 quota_t:fd use;
- allow quota_t $1:fd use;
- allow quota_t $1:fifo_file rw_file_perms;
- allow quota_t $1:process sigchld;
+ domtrans_pattern($1,quota_exec_t,quota_t)
')
########################################
@@ -91,6 +86,5 @@ interface(`quota_manage_flags',`
')
files_search_var_lib($1)
- allow $1 quota_flag_t:dir rw_dir_perms;
- allow $1 quota_flag_t:file create_file_perms;
+ manage_files_pattern($1,quota_flag_t,quota_flag_t)
')
diff --git a/policy/modules/admin/quota.te b/policy/modules/admin/quota.te
index fa48c693..ba9f393a 100644
--- a/policy/modules/admin/quota.te
+++ b/policy/modules/admin/quota.te
@@ -16,6 +16,11 @@ files_type(quota_db_t)
type quota_flag_t;
files_type(quota_flag_t)
+########################################
+#
+# Local policy
+#
+
allow quota_t self:capability { sys_admin dac_override };
dontaudit quota_t self:capability sys_tty_config;
allow quota_t self:process signal_perms;
diff --git a/policy/modules/admin/readahead.te b/policy/modules/admin/readahead.te
index dbf2ebea..92230358 100644
--- a/policy/modules/admin/readahead.te
+++ b/policy/modules/admin/readahead.te
@@ -21,8 +21,7 @@ files_pid_file(readahead_var_run_t)
dontaudit readahead_t self:capability { dac_override dac_read_search sys_tty_config };
allow readahead_t self:process signal_perms;
-allow readahead_t readahead_var_run_t:file create_file_perms;
-allow readahead_t readahead_var_run_t:dir rw_dir_perms;
+manage_files_pattern(readahead_t,readahead_var_run_t,readahead_var_run_t)
files_pid_filetrans(readahead_t,readahead_var_run_t,file)
kernel_read_kernel_sysctls(readahead_t)
diff --git a/policy/modules/admin/rpm.if b/policy/modules/admin/rpm.if
index c58a2bbb..11b82978 100644
--- a/policy/modules/admin/rpm.if
+++ b/policy/modules/admin/rpm.if
@@ -17,12 +17,7 @@ interface(`rpm_domtrans',`
files_search_usr($1)
corecmd_search_bin($1)
- domain_auto_trans($1,rpm_exec_t,rpm_t)
-
- allow $1 rpm_t:fd use;
- allow rpm_t $1:fd use;
- allow rpm_t $1:fifo_file rw_file_perms;
- allow rpm_t $1:process sigchld;
+ domtrans_pattern($1,rpm_exec_t,rpm_t)
')
########################################
@@ -42,8 +37,6 @@ interface(`rpm_domtrans_script',`
# transition to rpm script:
corecmd_shell_domtrans($1,rpm_script_t)
-
- allow $1 rpm_script_t:fd use;
allow rpm_script_t $1:fd use;
allow rpm_script_t $1:fifo_file rw_file_perms;
allow rpm_script_t $1:process sigchld;
@@ -137,7 +130,7 @@ interface(`rpm_read_pipes',`
type rpm_t;
')
- allow $1 rpm_t:fifo_file r_file_perms;
+ allow $1 rpm_t:fifo_file read_fifo_file_perms;
')
########################################
@@ -155,7 +148,7 @@ interface(`rpm_rw_pipes',`
type rpm_t;
')
- allow $1 rpm_t:fifo_file rw_file_perms;
+ allow $1 rpm_t:fifo_file rw_fifo_file_perms;
')
########################################
@@ -195,7 +188,7 @@ interface(`rpm_manage_log',`
')
logging_rw_generic_log_dirs($1)
- allow $1 rpm_log_t:file create_file_perms;
+ allow $1 rpm_log_t:file manage_file_perms;
')
########################################
@@ -232,9 +225,9 @@ interface(`rpm_read_db',`
')
files_search_var_lib($1)
- allow $1 rpm_var_lib_t:dir r_dir_perms;
- allow $1 rpm_var_lib_t:file r_file_perms;
- allow $1 rpm_var_lib_t:lnk_file r_file_perms;
+ allow $1 rpm_var_lib_t:dir list_dir_perms;
+ read_files_pattern($1,rpm_var_lib_t,rpm_var_lib_t)
+ read_lnk_files_pattern($1,rpm_var_lib_t,rpm_var_lib_t)
')
########################################
@@ -253,9 +246,8 @@ interface(`rpm_manage_db',`
')
files_search_var_lib($1)
- allow $1 rpm_var_lib_t:dir rw_dir_perms;
- allow $1 rpm_var_lib_t:file manage_file_perms;
- allow $1 rpm_var_lib_t:lnk_file create_lnk_perms;
+ manage_files_pattern($1,rpm_var_lib_t,rpm_var_lib_t)
+ manage_lnk_files_pattern($1,rpm_var_lib_t,rpm_var_lib_t)
')
########################################
@@ -275,6 +267,6 @@ interface(`rpm_dontaudit_manage_db',`
')
dontaudit $1 rpm_var_lib_t:dir rw_dir_perms;
- dontaudit $1 rpm_var_lib_t:file create_file_perms;
- dontaudit $1 rpm_var_lib_t:lnk_file create_lnk_perms;
+ dontaudit $1 rpm_var_lib_t:file manage_file_perms;
+ dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
')
diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
index ad11d345..3248647f 100644
--- a/policy/modules/admin/rpm.te
+++ b/policy/modules/admin/rpm.te
@@ -56,7 +56,7 @@ allow rpm_t self:capability { chown dac_override fowner fsetid setgid setuid sys
allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow rpm_t self:process { getattr setexec setfscreate setrlimit };
allow rpm_t self:fd use;
-allow rpm_t self:fifo_file rw_file_perms;
+allow rpm_t self:fifo_file rw_fifo_file_perms;
allow rpm_t self:unix_dgram_socket create_socket_perms;
allow rpm_t self:unix_stream_socket rw_stream_socket_perms;
allow rpm_t self:unix_dgram_socket sendto;
@@ -71,20 +71,19 @@ allow rpm_t self:msg { send receive };
allow rpm_t self:dir search;
allow rpm_t self:file rw_file_perms;;
-allow rpm_t rpm_tmp_t:dir create_dir_perms;
-allow rpm_t rpm_tmp_t:file create_file_perms;
+manage_dirs_pattern(rpm_t,rpm_tmp_t,rpm_tmp_t)
+manage_files_pattern(rpm_t,rpm_tmp_t,rpm_tmp_t)
files_tmp_filetrans(rpm_t, rpm_tmp_t, { file dir })
-allow rpm_t rpm_tmpfs_t:dir create_dir_perms;
-allow rpm_t rpm_tmpfs_t:file create_file_perms;
-allow rpm_t rpm_tmpfs_t:lnk_file create_file_perms;
-allow rpm_t rpm_tmpfs_t:sock_file create_file_perms;
-allow rpm_t rpm_tmpfs_t:fifo_file create_file_perms;
+manage_dirs_pattern(rpm_t,rpm_tmpfs_t,rpm_tmpfs_t)
+manage_files_pattern(rpm_t,rpm_tmpfs_t,rpm_tmpfs_t)
+manage_lnk_files_pattern(rpm_t,rpm_tmpfs_t,rpm_tmpfs_t)
+manage_fifo_files_pattern(rpm_t,rpm_tmpfs_t,rpm_tmpfs_t)
+manage_sock_files_pattern(rpm_t,rpm_tmpfs_t,rpm_tmpfs_t)
fs_tmpfs_filetrans(rpm_t,rpm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
# Access /var/lib/rpm files
-allow rpm_t rpm_var_lib_t:file create_file_perms;
-allow rpm_t rpm_var_lib_t:dir rw_dir_perms;
+manage_files_pattern(rpm_t,rpm_var_lib_t,rpm_var_lib_t)
files_var_lib_filetrans(rpm_t,rpm_var_lib_t,dir)
kernel_read_system_state(rpm_t)
@@ -184,7 +183,7 @@ ifdef(`targeted_policy',`
# cjp: these are here to stop type_transition
# conflicts since rpm_t is an alias of
# unconfined in the targeted policy
- allow rpm_t rpm_log_t:file create_file_perms;
+ allow rpm_t rpm_log_t:file manage_file_perms;
logging_log_filetrans(rpm_t,rpm_log_t,file)
')
@@ -230,7 +229,7 @@ allow rpm_t sysadm_gph_t:fd use;
allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill };
allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow rpm_script_t self:fd use;
-allow rpm_script_t self:fifo_file rw_file_perms;
+allow rpm_script_t self:fifo_file rw_fifo_file_perms;
allow rpm_script_t self:unix_dgram_socket create_socket_perms;
allow rpm_script_t self:unix_stream_socket rw_stream_socket_perms;
allow rpm_script_t self:unix_dgram_socket sendto;
@@ -240,25 +239,20 @@ allow rpm_script_t self:sem create_sem_perms;
allow rpm_script_t self:msgq create_msgq_perms;
allow rpm_script_t self:msg { send receive };
-allow rpm_script_t rpm_tmp_t:file r_file_perms;
+allow rpm_script_t rpm_tmp_t:file read_file_perms;
allow rpm_script_t rpm_script_tmp_t:dir mounton;
-allow rpm_script_t rpm_script_tmp_t:dir create_dir_perms;
-allow rpm_script_t rpm_script_tmp_t:file create_file_perms;
+manage_dirs_pattern(rpm_script_t,rpm_script_tmp_t,rpm_script_tmp_t)
+manage_files_pattern(rpm_script_t,rpm_script_tmp_t,rpm_script_tmp_t)
files_tmp_filetrans(rpm_script_t, rpm_script_tmp_t, { file dir })
-allow rpm_script_t rpm_script_tmpfs_t:dir create_dir_perms;
-allow rpm_script_t rpm_script_tmpfs_t:file create_file_perms;
-allow rpm_script_t rpm_script_tmpfs_t:lnk_file create_lnk_perms;
-allow rpm_script_t rpm_script_tmpfs_t:sock_file create_file_perms;
-allow rpm_script_t rpm_script_tmpfs_t:fifo_file create_file_perms;
+manage_dirs_pattern(rpm_script_t,rpm_script_tmpfs_t,rpm_script_tmpfs_t)
+manage_files_pattern(rpm_script_t,rpm_script_tmpfs_t,rpm_script_tmpfs_t)
+manage_lnk_files_pattern(rpm_script_t,rpm_script_tmpfs_t,rpm_script_tmpfs_t)
+manage_fifo_files_pattern(rpm_script_t,rpm_script_tmpfs_t,rpm_script_tmpfs_t)
+manage_sock_files_pattern(rpm_script_t,rpm_script_tmpfs_t,rpm_script_tmpfs_t)
fs_tmpfs_filetrans(rpm_script_t,rpm_script_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
-allow rpm_t rpm_script_t:fd use;
-allow rpm_script_t rpm_t:fd use;
-allow rpm_script_t rpm_t:fifo_file rw_file_perms;
-allow rpm_script_t rpm_t:process sigchld;
-
kernel_read_kernel_sysctls(rpm_script_t)
kernel_read_system_state(rpm_script_t)
diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
index a12e817f..dee1ca1a 100644
--- a/policy/modules/admin/su.if
+++ b/policy/modules/admin/su.if
@@ -45,15 +45,12 @@ template(`su_restricted_domain_template', `
dontaudit $1_su_t self:capability sys_tty_config;
allow $1_su_t self:key { search write };
allow $1_su_t self:process { setexec setsched setrlimit };
- allow $1_su_t self:fifo_file rw_file_perms;
+ allow $1_su_t self:fifo_file rw_fifo_file_perms;
allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
allow $1_su_t self:unix_stream_socket create_stream_socket_perms;
# Transition from the user domain to this domain.
- domain_auto_trans($2, su_exec_t, $1_su_t)
- allow $1_su_t $2:fd use;
- allow $1_su_t $2:fifo_file rw_file_perms;
- allow $1_su_t $2:process sigchld;
+ domtrans_pattern($2, su_exec_t, $1_su_t)
# By default, revert to the calling domain when a shell is executed.
corecmd_shell_domtrans($1_su_t,$2)
@@ -178,14 +175,11 @@ template(`su_per_role_template',`
allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
dontaudit $1_su_t self:capability sys_tty_config;
allow $1_su_t self:process { setexec setsched setrlimit };
- allow $1_su_t self:fifo_file rw_file_perms;
+ allow $1_su_t self:fifo_file rw_fifo_file_perms;
allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
# Transition from the user domain to this domain.
- domain_auto_trans($2, su_exec_t, $1_su_t)
- allow $1_su_t $2:fd use;
- allow $1_su_t $2:fifo_file rw_file_perms;
- allow $1_su_t $2:process sigchld;
+ domtrans_pattern($2, su_exec_t, $1_su_t)
# By default, revert to the calling domain when a shell is executed.
corecmd_shell_domtrans($1_su_t,$2)
@@ -310,7 +304,7 @@ template(`su_per_role_template',`
')
ifdef(`TODO',`
- allow $1_su_t $1_home_t:file create_file_perms;
+ allow $1_su_t $1_home_t:file manage_file_perms;
# Access sshd cookie files.
allow $1_su_t sshd_tmp_t:file rw_file_perms;
diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index 07e894fc..e0ae7c05 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -61,7 +61,7 @@ template(`sudo_per_role_template',`
allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow $1_sudo_t self:process { setexec setrlimit };
allow $1_sudo_t self:fd use;
- allow $1_sudo_t self:fifo_file rw_file_perms;
+ allow $1_sudo_t self:fifo_file rw_fifo_file_perms;
allow $1_sudo_t self:shm create_shm_perms;
allow $1_sudo_t self:sem create_sem_perms;
allow $1_sudo_t self:msgq create_msgq_perms;
@@ -73,18 +73,13 @@ template(`sudo_per_role_template',`
allow $1_sudo_t self:netlink_audit_socket { create bind write nlmsg_read read };
# Enter this derived domain from the user domain
- domain_auto_trans($2, sudo_exec_t, $1_sudo_t)
- allow $1_sudo_t $2:fd use;
- allow $2 $1_sudo_t:fd use;
- allow $2 $1_sudo_t:fifo_file rw_file_perms;
- allow $2 $1_sudo_t:process sigchld;
+ domtrans_pattern($2, sudo_exec_t, $1_sudo_t)
# By default, revert to the calling domain when a shell is executed.
corecmd_shell_domtrans($1_sudo_t,$2)
allow $2 $1_sudo_t:fd use;
- allow $1_sudo_t $2:fd use;
- allow $1_sudo_t $2:fifo_file rw_file_perms;
- allow $1_sudo_t $2:process sigchld;
+ allow $2 $1_sudo_t:fifo_file rw_file_perms;
+ allow $2 $1_sudo_t:process sigchld;
kernel_read_kernel_sysctls($1_sudo_t)
kernel_read_system_state($1_sudo_t)
@@ -146,8 +141,8 @@ template(`sudo_per_role_template',`
')
ifdef(`pam.te', `
- allow $1_sudo_t pam_var_run_t:dir create_dir_perms;
- allow $1_sudo_t pam_var_run_t:file create_file_perms;
+ allow $1_sudo_t pam_var_run_t:dir manage_dir_perms;
+ allow $1_sudo_t pam_var_run_t:file manage_file_perms;
')
') dnl end TODO
')
diff --git a/policy/modules/admin/sxid.if b/policy/modules/admin/sxid.if
index 114fad01..dd8ac62e 100644
--- a/policy/modules/admin/sxid.if
+++ b/policy/modules/admin/sxid.if
@@ -18,5 +18,5 @@ interface(`sxid_read_log',`
')
logging_search_logs($1)
- allow $1 sxid_log_t:file r_file_perms;
+ allow $1 sxid_log_t:file read_file_perms;
')
diff --git a/policy/modules/admin/sxid.te b/policy/modules/admin/sxid.te
index 9501fb1e..08b5738a 100644
--- a/policy/modules/admin/sxid.te
+++ b/policy/modules/admin/sxid.te
@@ -25,15 +25,15 @@ files_tmp_file(sxid_tmp_t)
allow sxid_t self:capability { dac_override dac_read_search fsetid };
dontaudit sxid_t self:capability { setuid setgid sys_tty_config };
allow sxid_t self:process signal_perms;
-allow sxid_t self:fifo_file rw_file_perms;
+allow sxid_t self:fifo_file rw_fifo_file_perms;
allow sxid_t self:tcp_socket create_stream_socket_perms;
allow sxid_t self:udp_socket create_socket_perms;
-allow sxid_t sxid_log_t:file create_file_perms;
+allow sxid_t sxid_log_t:file manage_file_perms;
logging_log_filetrans(sxid_t,sxid_log_t,file)
-allow sxid_t sxid_tmp_t:dir create_dir_perms;
-allow sxid_t sxid_tmp_t:file create_file_perms;
+manage_dirs_pattern(sxid_t,sxid_tmp_t,sxid_tmp_t)
+manage_files_pattern(sxid_t,sxid_tmp_t,sxid_tmp_t)
files_tmp_filetrans(sxid_t, sxid_tmp_t, { file dir })
kernel_read_system_state(sxid_t)
diff --git a/policy/modules/admin/tripwire.if b/policy/modules/admin/tripwire.if
index 4db23aaa..2f2daf85 100644
--- a/policy/modules/admin/tripwire.if
+++ b/policy/modules/admin/tripwire.if
@@ -28,10 +28,7 @@ interface(`tripwire_domtrans_tripwire',`
type tripwire_t, tripwire_exec_t;
')
- domain_auto_trans($1,tripwire_exec_t,tripwire_t)
- allow tripwire_t $1:fd use;
- allow tripwire_t $1:fifo_file rw_file_perms;
- allow tripwire_t $1:process sigchld;
+ domtrans_pattern($1,tripwire_exec_t,tripwire_t)
')
########################################
@@ -81,10 +78,7 @@ interface(`tripwire_domtrans_twadmin',`
type twadmin_t, twadmin_exec_t;
')
- domain_auto_trans($1,twadmin_exec_t,twadmin_t)
- allow twadmin_t $1:fd use;
- allow twadmin_t $1:fifo_file rw_file_perms;
- allow twadmin_t $1:process sigchld;
+ domtrans_pattern($1,twadmin_exec_t,twadmin_t)
')
########################################
@@ -134,10 +128,7 @@ interface(`tripwire_domtrans_twprint',`
type twprint_t, twprint_exec_t;
')
- domain_auto_trans($1,twprint_exec_t,twprint_t)
- allow twprint_t $1:fd use;
- allow twprint_t $1:fifo_file rw_file_perms;
- allow twprint_t $1:process sigchld;
+ domtrans_pattern($1,twprint_exec_t,twprint_t)
')
########################################
@@ -187,10 +178,7 @@ interface(`tripwire_domtrans_siggen',`
type siggen_t, siggen_exec_t;
')
- domain_auto_trans($1,siggen_exec_t,siggen_t)
- allow siggen_t $1:fd use;
- allow siggen_t $1:fifo_file rw_file_perms;
- allow siggen_t $1:process sigchld;
+ domtrans_pattern($1,siggen_exec_t,siggen_t)
')
########################################
diff --git a/policy/modules/admin/tripwire.te b/policy/modules/admin/tripwire.te
index cb6a7c57..04def157 100644
--- a/policy/modules/admin/tripwire.te
+++ b/policy/modules/admin/tripwire.te
@@ -46,29 +46,24 @@ domain_entry_file(twprint_t,twprint_exec_t)
allow tripwire_t self:capability { setgid setuid dac_override };
-allow tripwire_t tripwire_etc_t:file r_file_perms;
-allow tripwire_t tripwire_etc_t:dir r_dir_perms;
-allow tripwire_t tripwire_etc_t:lnk_file { getattr read };
+allow tripwire_t tripwire_etc_t:dir list_dir_perms;
+read_files_pattern(tripwire_t,tripwire_etc_t,tripwire_etc_t)
+read_lnk_files_pattern(tripwire_t,tripwire_etc_t,tripwire_etc_t)
files_search_etc(tripwire_t)
-allow tripwire_t tripwire_tmp_t:dir manage_dir_perms;
-allow tripwire_t tripwire_tmp_t:file manage_file_perms;
-files_tmp_filetrans(tripwire_t, tripwire_tmp_t, { file dir })
-
# Tripwire report files
-allow tripwire_t tripwire_report_t:dir manage_dir_perms;
-allow tripwire_t tripwire_report_t:file manage_file_perms;
-allow tripwire_t tripwire_report_t:lnk_file create_lnk_perms;
+manage_dirs_pattern(tripwire_t,tripwire_report_t,tripwire_report_t)
+manage_files_pattern(tripwire_t,tripwire_report_t,tripwire_report_t)
+manage_lnk_files_pattern(tripwire_t,tripwire_report_t,tripwire_report_t)
-allow tripwire_t tripwire_tmp_t:dir manage_dir_perms;
-allow tripwire_t tripwire_tmp_t:file manage_file_perms;
-allow tripwire_t tripwire_tmp_t:lnk_file create_lnk_perms;
-allow tripwire_t tripwire_tmp_t:sock_file manage_file_perms;
-allow tripwire_t tripwire_tmp_t:fifo_file manage_file_perms;
-files_tmp_filetrans(tripwire_t,tripwire_tmp_t,{ file lnk_file sock_file fifo_file })
+manage_dirs_pattern(tripwire_t,tripwire_tmp_t,tripwire_tmp_t)
+manage_files_pattern(tripwire_t,tripwire_tmp_t,tripwire_tmp_t)
+manage_lnk_files_pattern(tripwire_t,tripwire_tmp_t,tripwire_tmp_t)
+manage_fifo_files_pattern(tripwire_t,tripwire_tmp_t,tripwire_tmp_t)
+manage_sock_files_pattern(tripwire_t,tripwire_tmp_t,tripwire_tmp_t)
+files_tmp_filetrans(tripwire_t,tripwire_tmp_t,{ dir file lnk_file sock_file fifo_file })
-allow tripwire_t tripwire_var_lib_t:file manage_file_perms;
-allow tripwire_t tripwire_var_lib_t:dir rw_dir_perms;
+manage_files_pattern(tripwire_t,tripwire_var_lib_t,tripwire_var_lib_t)
files_var_lib_filetrans(tripwire_t,tripwire_var_lib_t,file)
kernel_read_system_state(tripwire_t)
@@ -102,9 +97,9 @@ optional_policy(`
# Twadmin local policy
#
-allow twadmin_t tripwire_etc_t:dir manage_dir_perms;
-allow twadmin_t tripwire_etc_t:file manage_file_perms;
-allow twadmin_t tripwire_etc_t:lnk_file create_lnk_perms;
+manage_dirs_pattern(twadmin_t,tripwire_etc_t,tripwire_etc_t)
+manage_files_pattern(twadmin_t,tripwire_etc_t,tripwire_etc_t)
+manage_lnk_files_pattern(twadmin_t,tripwire_etc_t,tripwire_etc_t)
domain_use_interactive_fds(twadmin_t)
@@ -120,17 +115,17 @@ miscfiles_read_localization(twadmin_t)
# Twprint local policy
#
-allow twprint_t tripwire_etc_t:dir r_dir_perms;
-allow twprint_t tripwire_etc_t:file r_file_perms;
-allow twprint_t tripwire_etc_t:lnk_file { getattr read };
+allow twprint_t tripwire_etc_t:dir list_dir_perms;
+read_files_pattern(twprint_t,tripwire_etc_t,tripwire_etc_t)
+read_lnk_files_pattern(twprint_t,tripwire_etc_t,tripwire_etc_t)
-allow twprint_t tripwire_report_t:dir r_dir_perms;
-allow twprint_t tripwire_report_t:file r_file_perms;
-allow twprint_t tripwire_report_t:lnk_file { getattr read };
+allow twprint_t tripwire_report_t:dir list_dir_perms;
+read_files_pattern(twprint_t,tripwire_report_t,tripwire_report_t)
+read_lnk_files_pattern(twprint_t,tripwire_report_t,tripwire_report_t)
-allow twprint_t tripwire_var_lib_t:dir r_dir_perms;
-allow twprint_t tripwire_var_lib_t:file r_file_perms;
-allow twprint_t tripwire_var_lib_t:lnk_file { getattr read };
+allow twprint_t tripwire_var_lib_t:dir list_dir_perms;
+read_files_pattern(twprint_t,tripwire_var_lib_t,tripwire_var_lib_t)
+read_lnk_files_pattern(twprint_t,tripwire_var_lib_t,tripwire_var_lib_t)
files_search_var_lib(twprint_t)
domain_use_interactive_fds(twprint_t)
diff --git a/policy/modules/admin/updfstab.if b/policy/modules/admin/updfstab.if
index dad4bef9..f902aab3 100644
--- a/policy/modules/admin/updfstab.if
+++ b/policy/modules/admin/updfstab.if
@@ -17,10 +17,5 @@ interface(`updfstab_domtrans',`
files_search_usr($1)
corecmd_search_sbin($1)
- domain_auto_trans($1,updfstab_exec_t,updfstab_t)
-
- allow $1 updfstab_t:fd use;
- allow updfstab_t $1:fd use;
- allow updfstab_t $1:fifo_file rw_file_perms;
- allow updfstab_t $1:process sigchld;
+ domtrans_pattern($1,updfstab_exec_t,updfstab_t)
')
diff --git a/policy/modules/admin/usbmodules.if b/policy/modules/admin/usbmodules.if
index fea1445a..50c1dc3a 100644
--- a/policy/modules/admin/usbmodules.if
+++ b/policy/modules/admin/usbmodules.if
@@ -15,13 +15,7 @@ interface(`usbmodules_domtrans',`
type usbmodules_t, usbmodules_exec_t;
')
- domain_auto_trans($1, usbmodules_exec_t, usbmodules_t)
-
- allow $1 usbmodules_t:fd use;
- allow usbmodules_t $1:fd use;
- allow usbmodules_t $1:fifo_file rw_file_perms;
- allow usbmodules_t $1:process sigchld;
-
+ domtrans_pattern($1, usbmodules_exec_t, usbmodules_t)
')
########################################
diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if
index b49086db..f71a57f0 100644
--- a/policy/modules/admin/usermanage.if
+++ b/policy/modules/admin/usermanage.if
@@ -17,12 +17,7 @@ interface(`usermanage_domtrans_chfn',`
files_search_usr($1)
corecmd_search_bin($1)
- domain_auto_trans($1,chfn_exec_t,chfn_t)
-
- allow $1 chfn_t:fd use;
- allow chfn_t $1:fd use;
- allow chfn_t $1:fifo_file rw_file_perms;
- allow chfn_t $1:process sigchld;
+ domtrans_pattern($1,chfn_exec_t,chfn_t)
')
########################################
@@ -73,12 +68,7 @@ interface(`usermanage_domtrans_groupadd',`
files_search_usr($1)
corecmd_search_sbin($1)
- domain_auto_trans($1,groupadd_exec_t,groupadd_t)
-
- allow $1 groupadd_t:fd use;
- allow groupadd_t $1:fd use;
- allow groupadd_t $1:fifo_file rw_file_perms;
- allow groupadd_t $1:process sigchld;
+ domtrans_pattern($1,groupadd_exec_t,groupadd_t)
')
########################################
@@ -130,12 +120,7 @@ interface(`usermanage_domtrans_passwd',`
files_search_usr($1)
corecmd_search_bin($1)
- domain_auto_trans($1,passwd_exec_t,passwd_t)
-
- allow $1 passwd_t:fd use;
- allow passwd_t $1:fd use;
- allow passwd_t $1:fifo_file rw_file_perms;
- allow passwd_t $1:process sigchld;
+ domtrans_pattern($1,passwd_exec_t,passwd_t)
')
########################################
@@ -187,12 +172,7 @@ interface(`usermanage_domtrans_admin_passwd',`
files_search_usr($1)
corecmd_search_bin($1)
- domain_auto_trans($1,admin_passwd_exec_t,sysadm_passwd_t)
-
- allow $1 sysadm_passwd_t:fd use;
- allow sysadm_passwd_t $1:fd use;
- allow sysadm_passwd_t $1:fifo_file rw_file_perms;
- allow sysadm_passwd_t $1:process sigchld;
+ domtrans_pattern($1,admin_passwd_exec_t,sysadm_passwd_t)
')
########################################
@@ -245,12 +225,7 @@ interface(`usermanage_domtrans_useradd',`
files_search_usr($1)
corecmd_search_sbin($1)
- domain_auto_trans($1,useradd_exec_t,useradd_t)
-
- allow $1 useradd_t:fd use;
- allow useradd_t $1:fd use;
- allow useradd_t $1:fifo_file rw_file_perms;
- allow useradd_t $1:process sigchld;
+ domtrans_pattern($1,useradd_exec_t,useradd_t)
')
########################################
@@ -300,5 +275,5 @@ interface(`usermanage_read_crack_db',`
type crack_db_t;
')
- allow $1 crack_db_t:file r_file_perms;
+ allow $1 crack_db_t:file read_file_perms;
')
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index d48cd015..5c0c5d34 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -68,8 +68,8 @@ allow chfn_t self:capability { chown dac_override fsetid setuid setgid sys_resou
allow chfn_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
allow chfn_t self:process { setrlimit setfscreate };
allow chfn_t self:fd use;
-allow chfn_t self:fifo_file rw_file_perms;
-allow chfn_t self:sock_file r_file_perms;
+allow chfn_t self:fifo_file rw_fifo_file_perms;
+allow chfn_t self:sock_file read_sock_file_perms;
allow chfn_t self:shm create_shm_perms;
allow chfn_t self:sem create_sem_perms;
allow chfn_t self:msgq create_msgq_perms;
@@ -146,15 +146,14 @@ optional_policy(`
#
allow crack_t self:process { sigkill sigstop signull signal };
-allow crack_t self:fifo_file rw_file_perms;
+allow crack_t self:fifo_file rw_fifo_file_perms;
-allow crack_t crack_db_t:dir rw_dir_perms;
-allow crack_t crack_db_t:file create_file_perms;
-allow crack_t crack_db_t:lnk_file create_file_perms;
+manage_files_pattern(crack_t,crack_db_t,crack_db_t)
+manage_lnk_files_pattern(crack_t,crack_db_t,crack_db_t)
files_search_var(crack_t)
-allow crack_t crack_tmp_t:dir create_dir_perms;
-allow crack_t crack_tmp_t:file create_file_perms;
+manage_dirs_pattern(crack_t,crack_tmp_t,crack_tmp_t)
+manage_files_pattern(crack_t,crack_tmp_t,crack_tmp_t)
files_tmp_filetrans(crack_t, crack_tmp_t, { file dir })
kernel_read_system_state(crack_t)
@@ -193,7 +192,7 @@ dontaudit groupadd_t self:capability { fsetid sys_tty_config };
allow groupadd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
allow groupadd_t self:process { setrlimit setfscreate };
allow groupadd_t self:fd use;
-allow groupadd_t self:fifo_file rw_file_perms;
+allow groupadd_t self:fifo_file rw_fifo_file_perms;
allow groupadd_t self:shm create_shm_perms;
allow groupadd_t self:sem create_sem_perms;
allow groupadd_t self:msgq create_msgq_perms;
@@ -274,8 +273,8 @@ allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_res
allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow passwd_t self:process { setrlimit setfscreate };
allow passwd_t self:fd use;
-allow passwd_t self:fifo_file rw_file_perms;
-allow passwd_t self:sock_file r_file_perms;
+allow passwd_t self:fifo_file rw_fifo_file_perms;
+allow passwd_t self:sock_file read_sock_file_perms;
allow passwd_t self:unix_dgram_socket create_socket_perms;
allow passwd_t self:unix_stream_socket create_stream_socket_perms;
allow passwd_t self:unix_dgram_socket sendto;
@@ -286,8 +285,8 @@ allow passwd_t self:sem create_sem_perms;
allow passwd_t self:msgq create_msgq_perms;
allow passwd_t self:msg { send receive };
-allow passwd_t crack_db_t:dir r_dir_perms;
-allow passwd_t crack_db_t:file r_file_perms;
+allow passwd_t crack_db_t:dir list_dir_perms;
+read_files_pattern(passwd_t,crack_db_t,crack_db_t)
kernel_read_kernel_sysctls(passwd_t)
@@ -363,8 +362,8 @@ allow sysadm_passwd_t self:capability { chown dac_override fsetid setuid setgid
allow sysadm_passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow sysadm_passwd_t self:process { setrlimit setfscreate };
allow sysadm_passwd_t self:fd use;
-allow sysadm_passwd_t self:fifo_file rw_file_perms;
-allow sysadm_passwd_t self:sock_file r_file_perms;
+allow sysadm_passwd_t self:fifo_file rw_fifo_file_perms;
+allow sysadm_passwd_t self:sock_file read_sock_file_perms;
allow sysadm_passwd_t self:unix_dgram_socket create_socket_perms;
allow sysadm_passwd_t self:unix_stream_socket create_stream_socket_perms;
allow sysadm_passwd_t self:unix_dgram_socket sendto;
@@ -375,8 +374,8 @@ allow sysadm_passwd_t self:msgq create_msgq_perms;
allow sysadm_passwd_t self:msg { send receive };
# allow vipw to create temporary files under /var/tmp/vi.recover
-allow sysadm_passwd_t sysadm_passwd_tmp_t:dir create_dir_perms;
-allow sysadm_passwd_t sysadm_passwd_tmp_t:file create_file_perms;
+manage_dirs_pattern(sysadm_passwd_t,sysadm_passwd_tmp_t,sysadm_passwd_tmp_t)
+manage_files_pattern(sysadm_passwd_t,sysadm_passwd_tmp_t,sysadm_passwd_tmp_t)
files_tmp_filetrans(sysadm_passwd_t, sysadm_passwd_tmp_t, { file dir })
files_search_var(sysadm_passwd_t)
files_dontaudit_search_home(sysadm_passwd_t)
@@ -458,7 +457,7 @@ dontaudit useradd_t self:capability sys_tty_config;
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow useradd_t self:process setfscreate;
allow useradd_t self:fd use;
-allow useradd_t self:fifo_file rw_file_perms;
+allow useradd_t self:fifo_file rw_fifo_file_perms;
allow useradd_t self:shm create_shm_perms;
allow useradd_t self:sem create_sem_perms;
allow useradd_t self:msgq create_msgq_perms;
diff --git a/policy/modules/admin/vbetool.if b/policy/modules/admin/vbetool.if
index 729e9a06..c5faff51 100644
--- a/policy/modules/admin/vbetool.if
+++ b/policy/modules/admin/vbetool.if
@@ -16,11 +16,5 @@ interface(`vbetool_domtrans',`
')
corecmd_search_sbin($1)
- domain_auto_trans($1,vbetool_exec_t,vbetool_t)
-
- allow $1 vbetool_t:fd use;
- allow vbetool_t $1:fd use;
- allow vbetool_t $1:fifo_file rw_file_perms;
- allow vbetool_t $1:process sigchld;
-
+ domtrans_pattern($1,vbetool_exec_t,vbetool_t)
')
diff --git a/policy/modules/admin/vpn.if b/policy/modules/admin/vpn.if
index fea1dd4a..76916e15 100644
--- a/policy/modules/admin/vpn.if
+++ b/policy/modules/admin/vpn.if
@@ -15,12 +15,7 @@ interface(`vpn_domtrans',`
type vpnc_t, vpnc_exec_t;
')
- domain_auto_trans($1,vpnc_exec_t,vpnc_t)
-
- allow $1 vpnc_t:fd use;
- allow vpnc_t $1:fd use;
- allow vpnc_t $1:fifo_file rw_file_perms;
- allow vpnc_t $1:process sigchld;
+ domtrans_pattern($1,vpnc_exec_t,vpnc_t)
')
########################################
diff --git a/policy/modules/admin/vpn.te b/policy/modules/admin/vpn.te
index 275fb948..f6af2c37 100644
--- a/policy/modules/admin/vpn.te
+++ b/policy/modules/admin/vpn.te
@@ -36,12 +36,11 @@ allow vpnc_t self:unix_stream_socket create_socket_perms;
# cjp: this needs to be fixed
allow vpnc_t self:socket create_socket_perms;
-allow vpnc_t vpnc_tmp_t:dir create_dir_perms;
-allow vpnc_t vpnc_tmp_t:file create_file_perms;
+manage_dirs_pattern(vpnc_t,vpnc_tmp_t,vpnc_tmp_t)
+manage_files_pattern(vpnc_t,vpnc_tmp_t,vpnc_tmp_t)
files_tmp_filetrans(vpnc_t, vpnc_tmp_t, { file dir })
-allow vpnc_t vpnc_var_run_t:file create_file_perms;
-allow vpnc_t vpnc_var_run_t:dir rw_dir_perms;
+manage_files_pattern(vpnc_t,vpnc_var_run_t,vpnc_var_run_t)
files_pid_filetrans(vpnc_t,vpnc_var_run_t,file)
kernel_read_system_state(vpnc_t)
diff --git a/policy/modules/apps/ada.if b/policy/modules/apps/ada.if
index c2ba6983..e07b7a57 100644
--- a/policy/modules/apps/ada.if
+++ b/policy/modules/apps/ada.if
@@ -17,12 +17,7 @@ interface(`ada_domtrans',`
')
corecmd_search_bin($1)
- domain_auto_trans($1, ada_exec_t, ada_t)
-
- allow $1 ada_t:fd use;
- allow ada_t $1:fd use;
- allow ada_t $1:fifo_file rw_file_perms;
- allow ada_t $1:process sigchld;
+ domtrans_pattern($1, ada_exec_t, ada_t)
',`
refpolicywarn(`$0($1) has no effect in strict policy.')
')
diff --git a/policy/modules/apps/authbind.if b/policy/modules/apps/authbind.if
index 84134d08..e17ee67a 100644
--- a/policy/modules/apps/authbind.if
+++ b/policy/modules/apps/authbind.if
@@ -15,9 +15,6 @@ interface(`authbind_domtrans',`
type authbind_t, authbind_exec_t;
')
- domain_auto_trans($1,authbind_exec_t,authbind_t)
- allow authbind_t $1:fd use;
- allow authbind_t $1:fifo_file rw_file_perms;
- allow authbind_t $1:process sigchld;
+ domtrans_pattern($1,authbind_exec_t,authbind_t)
allow authbind_t $1:{ tcp_socket udp_socket } rw_socket_perms;
')
diff --git a/policy/modules/apps/authbind.te b/policy/modules/apps/authbind.te
index 292dda20..2fd4f95a 100644
--- a/policy/modules/apps/authbind.te
+++ b/policy/modules/apps/authbind.te
@@ -22,10 +22,10 @@ files_config_file(authbind_etc_t)
allow authbind_t self:capability net_bind_service;
-can_exec(authbind_t, authbind_etc_t)
-allow authbind_t authbind_etc_t:file r_file_perms;
-allow authbind_t authbind_etc_t:dir r_dir_perms;
-allow authbind_t authbind_etc_t:lnk_file { getattr read };
+allow authbind_t authbind_etc_t:dir list_dir_perms;
+exec_files_pattern(authbind_t,authbind_etc_t,authbind_etc_t)
+read_lnk_files_pattern(authbind_t,authbind_etc_t,authbind_etc_t)
+
files_list_etc(authbind_t)
term_use_console(authbind_t)
diff --git a/policy/modules/apps/calamaris.if b/policy/modules/apps/calamaris.if
index e180a594..767a1816 100644
--- a/policy/modules/apps/calamaris.if
+++ b/policy/modules/apps/calamaris.if
@@ -15,7 +15,7 @@ interface(`calamaris_read_www_files',`
type calamaris_www_t;
')
- allow $1 calamaris_www_t:dir r_dir_perms;
- allow $1 calamaris_www_t:file r_file_perms;
- allow $1 calamaris_www_t:lnk_file { getattr read };
+ allow $1 calamaris_www_t:dir list_dir_perms;
+ read_files_pattern($1,calamaris_www_t,calamaris_www_t)
+ read_lnk_files_pattern($1,calamaris_www_t,calamaris_www_t)
')
diff --git a/policy/modules/apps/calamaris.te b/policy/modules/apps/calamaris.te
index 98c88320..5bb18e3d 100644
--- a/policy/modules/apps/calamaris.te
+++ b/policy/modules/apps/calamaris.te
@@ -29,12 +29,10 @@ allow calamaris_t self:unix_stream_socket create_stream_socket_perms;
allow calamaris_t self:tcp_socket create_stream_socket_perms;
allow calamaris_t self:udp_socket create_socket_perms;
-allow calamaris_t calamaris_www_t:dir rw_dir_perms;
-allow calamaris_t calamaris_www_t:file manage_file_perms;
-allow calamaris_t calamaris_www_t:lnk_file create_lnk_perms;
+manage_files_pattern(calamaris_t,calamaris_www_t,calamaris_www_t)
+manage_lnk_files_pattern(calamaris_t,calamaris_www_t,calamaris_www_t)
-allow calamaris_t calamaris_log_t:file create_file_perms;
-allow calamaris_t calamaris_log_t:dir rw_dir_perms;
+manage_files_pattern(calamaris_t,calamaris_log_t,calamaris_log_t)
logging_log_filetrans(calamaris_t,calamaris_log_t,{ file dir })
kernel_read_all_sysctls(calamaris_t)
diff --git a/policy/modules/apps/cdrecord.if b/policy/modules/apps/cdrecord.if
index d20691e0..09ea3c90 100644
--- a/policy/modules/apps/cdrecord.if
+++ b/policy/modules/apps/cdrecord.if
@@ -61,17 +61,11 @@ template(`cdrecord_per_role_template', `
allow $1_cdrecord_t $2:unix_stream_socket { getattr read write ioctl };
# allow ps to show cdrecord and allow the user to kill it
- allow $2 $1_cdrecord_t:dir { search getattr read };
- allow $2 $1_cdrecord_t:{ file lnk_file } { read getattr };
- allow $2 $1_cdrecord_t:process getattr;
+ ps_process_pattern($2,$1_cdrecord_t)
allow $2 $1_cdrecord_t:process signal;
# Transition from the user domain to the derived domain.
- domain_auto_trans($2, cdrecord_exec_t, $1_cdrecord_t)
- allow $2 $1_cdrecord_t:fd use;
- allow $1_cdrecord_t $2:fd use;
- allow $1_cdrecord_t $2:fifo_file rw_file_perms;
- allow $1_cdrecord_t $2:process sigchld;
+ domtrans_pattern($2,cdrecord_exec_t,$1_cdrecord_t)
# allow searching for cdrom-drive
dev_list_all_dev_nodes($1_cdrecord_t)
diff --git a/policy/modules/apps/ethereal.if b/policy/modules/apps/ethereal.if
index 6d0eda3e..91789daf 100644
--- a/policy/modules/apps/ethereal.if
+++ b/policy/modules/apps/ethereal.if
@@ -70,36 +70,38 @@ template(`ethereal_per_role_template',`
allow $1_ethereal_t self:tcp_socket create_socket_perms;
allow $1_ethereal_t self:udp_socket create_socket_perms;
- # Store temporary files
- allow $1_ethereal_t $1_ethereal_tmp_t:dir create_dir_perms;
- allow $1_ethereal_t $1_ethereal_tmp_t:file create_file_perms;
- files_tmp_filetrans($1_ethereal_t, $1_ethereal_tmp_t, { dir file })
-
# Re-execute itself (why?)
can_exec($1_ethereal_t, ethereal_exec_t)
corecmd_search_sbin($1_ethereal_t)
# /home/.ethereal
- allow $1_ethereal_t $1_ethereal_home_t:dir manage_dir_perms;
- allow $1_ethereal_t $1_ethereal_home_t:file manage_file_perms;
- allow $1_ethereal_t $1_ethereal_home_t:lnk_file create_lnk_perms;
+ manage_dirs_pattern($1_ethereal_t,$1_ethereal_home_t,$1_ethereal_home_t)
+ manage_files_pattern($1_ethereal_t,$1_ethereal_home_t,$1_ethereal_home_t)
+ manage_lnk_files_pattern($1_ethereal_t,$1_ethereal_home_t,$1_ethereal_home_t)
userdom_user_home_dir_filetrans($1,$1_ethereal_t,$1_ethereal_home_t,dir)
- allow $1_ethereal_t $1_ethereal_tmpfs_t:dir manage_dir_perms;
- allow $1_ethereal_t $1_ethereal_tmpfs_t:file manage_file_perms;
- allow $1_ethereal_t $1_ethereal_tmpfs_t:lnk_file create_lnk_perms;
- allow $1_ethereal_t $1_ethereal_tmpfs_t:sock_file manage_file_perms;
- allow $1_ethereal_t $1_ethereal_tmpfs_t:fifo_file manage_file_perms;
+ # Store temporary files
+ manage_dirs_pattern($1_ethereal_t,$1_ethereal_tmp_t,$1_ethereal_tmp_t)
+ manage_files_pattern($1_ethereal_t,$1_ethereal_tmp_t,$1_ethereal_tmp_t)
+ files_tmp_filetrans($1_ethereal_t, $1_ethereal_tmp_t, { dir file })
+
+ manage_dirs_pattern($1_ethereal_t,$1_ethereal_tmpfs_t,$1_ethereal_tmpfs_t)
+ manage_files_pattern($1_ethereal_t,$1_ethereal_tmpfs_t,$1_ethereal_tmpfs_t)
+ manage_lnk_files_pattern($1_ethereal_t,$1_ethereal_tmpfs_t,$1_ethereal_tmpfs_t)
+ manage_sock_files_pattern($1_ethereal_t,$1_ethereal_tmpfs_t,$1_ethereal_tmpfs_t)
+ manage_fifo_files_pattern($1_ethereal_t,$1_ethereal_tmpfs_t,$1_ethereal_tmpfs_t)
fs_tmpfs_filetrans($1_ethereal_t,$1_ethereal_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
domain_auto_trans($2, ethereal_exec_t, $1_ethereal_t)
allow $1_ethereal_t $2:fd use;
allow $1_ethereal_t $2:process sigchld;
- allow $2 $1_ethereal_home_t:dir manage_dir_perms;
- allow $2 $1_ethereal_home_t:file manage_file_perms;
- allow $2 $1_ethereal_home_t:lnk_file create_lnk_perms;
- allow $2 $1_ethereal_home_t:{ dir file lnk_file } { relabelfrom relabelto };
+ manage_dirs_pattern($2,$1_ethereal_home_t,$1_ethereal_home_t)
+ manage_files_pattern($2,$1_ethereal_home_t,$1_ethereal_home_t)
+ manage_lnk_files_pattern($2,$1_ethereal_home_t,$1_ethereal_home_t)
+ relabel_dirs_pattern($2,$1_ethereal_home_t,$1_ethereal_home_t)
+ relabel_files_pattern($2,$1_ethereal_home_t,$1_ethereal_home_t)
+ relabel_lnk_files_pattern($2,$1_ethereal_home_t,$1_ethereal_home_t)
kernel_read_kernel_sysctls($1_ethereal_t)
kernel_read_system_state($1_ethereal_t)
@@ -240,12 +242,7 @@ template(`ethereal_domtrans_user_ethereal',`
type $1_ethereal_t, ethereal_exec_t;
')
- domain_auto_trans($2,ethereal_exec_t,$1_ethereal_t)
-
- allow $2 $1_ethereal_t:fd use;
- allow $1_ethereal_t $2:fd use;
- allow $1_ethereal_t $2:fifo_file rw_file_perms;
- allow $1_ethereal_t $2:process sigchld;
+ domtrans_pattern($2,ethereal_exec_t,$1_ethereal_t)
')
########################################
@@ -263,12 +260,7 @@ template(`ethereal_domtrans_tethereal',`
type tethereal_t, tethereal_exec_t;
')
- domain_auto_trans($1,tethereal_exec_t,tethereal_t)
-
- allow $1 tethereal_t:fd use;
- allow tethereal_t $1:fd use;
- allow tethereal_t $1:fifo_file rw_file_perms;
- allow tethereal_t $1:process sigchld;
+ domtrans_pattern($1,tethereal_exec_t,tethereal_t)
')
########################################
diff --git a/policy/modules/apps/ethereal.te b/policy/modules/apps/ethereal.te
index 7e9743bf..433765a0 100644
--- a/policy/modules/apps/ethereal.te
+++ b/policy/modules/apps/ethereal.te
@@ -30,8 +30,8 @@ allow tethereal_t self:tcp_socket create_socket_perms;
allow tethereal_t self:udp_socket create_socket_perms;
# Store temporary files
-allow tethereal_t tethereal_tmp_t:dir create_dir_perms;
-allow tethereal_t tethereal_tmp_t:file create_file_perms;
+manage_dirs_pattern(tethereal_t,tethereal_tmp_t,tethereal_tmp_t)
+manage_files_pattern(tethereal_t,tethereal_tmp_t,tethereal_tmp_t)
files_tmp_filetrans(tethereal_t, tethereal_tmp_t, { dir file })
# /proc
diff --git a/policy/modules/apps/evolution.if b/policy/modules/apps/evolution.if
index 9f197dcc..02ccdba7 100644
--- a/policy/modules/apps/evolution.if
+++ b/policy/modules/apps/evolution.if
@@ -442,7 +442,7 @@ template(`evolution_per_role_template',`
# Put secret files in .gnome2_private
allow $1_evolution_t $1_gnome_secret_t:dir rw_dir_perms;
- allow $1_evolution_t $1_evolutioin_secret_t:file create_file_perms;
+ allow $1_evolution_t $1_evolutioin_secret_t:file manage_file_perms;
type_transition $1_evolution_t $1_gnome_secret_t:file $1_evolutioin_secret_t;
allow $2 $1_evolution_secret_t:file unlink;
@@ -535,16 +535,16 @@ template(`evolution_per_role_template',`
allow $1_evolution_exchange_t $1_evolution_alarm_orbit_tmp_t:sock_file write;
# Access evolution home
- allow $1_evolution_exchange_t $1_evolution_home_t:dir create_dir_perms;
- allow $1_evolution_exchange_t $1_evolution_home_t:file create_file_perms;
+ allow $1_evolution_exchange_t $1_evolution_home_t:dir manage_dir_perms;
+ allow $1_evolution_exchange_t $1_evolution_home_t:file manage_file_perms;
allow $1_evolution_exchange_t $1_evolution_home_t:lnk_file create_lnk_perms;
allow $1_evolution_exchange_t $1_evolution_server_t:unix_stream_socket connectto;
allow $1_evolution_exchange_t $1_evolution_server_orbit_tmp_t:sock_file write;
# /tmp/.exchange-$USER
- allow $1_evolution_exchange_t $1_evolution_exchange_tmp_t:dir create_dir_perms;
- allow $1_evolution_exchange_t $1_evolution_exchange_tmp_t:file create_file_perms;
+ allow $1_evolution_exchange_t $1_evolution_exchange_tmp_t:dir manage_dir_perms;
+ allow $1_evolution_exchange_t $1_evolution_exchange_tmp_t:file manage_file_perms;
files_tmp_filetrans($1_evolution_exchange_t, $1_evolution_exchange_tmp_t, { file dir })
allow $1_evolution_exchange_t $1_evolution_exchange_tmpfs_t:dir rw_dir_perms;
@@ -619,8 +619,8 @@ template(`evolution_per_role_template',`
allow $1_evolution_server_t $1_evolution_exchange_orbit_tmp_t:sock_file write;
# Access evolution home
- allow $1_evolution_server_t $1_evolution_home_t:dir create_dir_perms;
- allow $1_evolution_server_t $1_evolution_home_t:file create_file_perms;
+ allow $1_evolution_server_t $1_evolution_home_t:dir manage_dir_perms;
+ allow $1_evolution_server_t $1_evolution_home_t:file manage_file_perms;
allow $1_evolution_server_t $1_evolution_home_t:lnk_file create_lnk_perms;
allow $1_evolution_server_t $1_evolution_alarm_t:unix_stream_socket connectto;
diff --git a/policy/modules/apps/games.if b/policy/modules/apps/games.if
index 685a6564..91fe9e70 100644
--- a/policy/modules/apps/games.if
+++ b/policy/modules/apps/games.if
@@ -62,23 +62,21 @@ template(`games_per_role_template',`
allow $1_games_t self:tcp_socket create_stream_socket_perms;
allow $1_games_t self:udp_socket create_socket_perms;
- allow $1_games_t $1_games_tmpfs_t:dir rw_dir_perms;
- allow $1_games_t $1_games_tmpfs_t:file manage_file_perms;
- allow $1_games_t $1_games_tmpfs_t:lnk_file create_lnk_perms;
- allow $1_games_t $1_games_tmpfs_t:sock_file manage_file_perms;
- allow $1_games_t $1_games_tmpfs_t:fifo_file manage_file_perms;
- fs_tmpfs_filetrans($1_games_t,$1_games_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+ manage_files_pattern($1_games_t,games_data_t,games_data_t)
+ manage_lnk_files_pattern($1_games_t,games_data_t,games_data_t)
- allow $1_games_t $1_games_tmp_t:dir manage_dir_perms;
- allow $1_games_t $1_games_tmp_t:file manage_file_perms;
- files_tmp_filetrans($1_games_t, $1_games_tmp_t, { file dir })
-
- allow $1_games_t $1_games_devpts_t:chr_file { rw_file_perms setattr };
+ allow $1_games_t $1_games_devpts_t:chr_file { rw_chr_file_perms setattr };
term_create_pty($1_games_t,$1_games_devpts_t)
- allow $1_games_t games_data_t:dir rw_dir_perms;
- allow $1_games_t games_data_t:file manage_file_perms;
- allow $1_games_t games_data_t:lnk_file create_lnk_perms;
+ manage_dirs_pattern($1_games_t,$1_games_tmp_t,$1_games_tmp_t)
+ manage_files_pattern($1_games_t,$1_games_tmp_t,$1_games_tmp_t)
+ files_tmp_filetrans($1_games_t, $1_games_tmp_t, { file dir })
+
+ manage_files_pattern($1_games_t,$1_games_tmpfs_t,$1_games_tmpfs_t)
+ manage_lnk_files_pattern($1_games_t,$1_games_tmpfs_t,$1_games_tmpfs_t)
+ manage_fifo_files_pattern($1_games_t,$1_games_tmpfs_t,$1_games_tmpfs_t)
+ manage_sock_files_pattern($1_games_t,$1_games_tmpfs_t,$1_games_tmpfs_t)
+ fs_tmpfs_filetrans($1_games_t,$1_games_tmpfs_t,{ file lnk_file sock_file fifo_file })
can_exec($1_games_t, games_exec_t)
@@ -159,8 +157,8 @@ template(`games_per_role_template',`
gnome_file_dialog($1_games, $1)
# Access /home/user/.gnome2
# FIXME: Change to use per app types
- allow $1_games_t $1_gnome_settings_t:dir create_dir_perms;
- allow $1_games_t $1_gnome_settings_t:file create_file_perms;
+ allow $1_games_t $1_gnome_settings_t:dir manage_dir_perms;
+ allow $1_games_t $1_gnome_settings_t:file manage_file_perms;
allow $1_games_t $1_gnome_settings_t:lnk_file create_lnk_perms;
#missing policy
optional_policy(`
diff --git a/policy/modules/apps/games.te b/policy/modules/apps/games.te
index fea04e73..cf2d88e0 100644
--- a/policy/modules/apps/games.te
+++ b/policy/modules/apps/games.te
@@ -26,12 +26,10 @@ files_pid_file(games_var_run_t)
dontaudit games_t self:capability sys_tty_config;
allow games_t self:process signal_perms;
-allow games_t games_data_t:dir rw_dir_perms;
-allow games_t games_data_t:file manage_file_perms;
-allow games_t games_data_t:lnk_file create_lnk_perms;
+manage_files_pattern(games_t,games_data_t,games_data_t)
+manage_lnk_files_pattern(games_t,games_data_t,games_data_t)
-allow games_t games_var_run_t:file manage_file_perms;
-allow games_t games_var_run_t:dir rw_dir_perms;
+manage_files_pattern(games_t,games_var_run_t,games_var_run_t)
files_pid_filetrans(games_t,games_var_run_t,file)
can_exec(games_t,games_exec_t)
diff --git a/policy/modules/apps/gift.if b/policy/modules/apps/gift.if
index 5a707ef5..18959471 100644
--- a/policy/modules/apps/gift.if
+++ b/policy/modules/apps/gift.if
@@ -63,40 +63,34 @@ template(`gift_per_role_template',`
allow $1_gift_t self:tcp_socket create_socket_perms;
- allow $1_gift_t $1_gift_tmpfs_t:dir rw_dir_perms;
- allow $1_gift_t $1_gift_tmpfs_t:file manage_file_perms;
- allow $1_gift_t $1_gift_tmpfs_t:lnk_file create_lnk_perms;
- allow $1_gift_t $1_gift_tmpfs_t:sock_file manage_file_perms;
- allow $1_gift_t $1_gift_tmpfs_t:fifo_file manage_file_perms;
+ manage_files_pattern($1_gift_t,$1_gift_tmpfs_t,$1_gift_tmpfs_t)
+ manage_lnk_files_pattern($1_gift_t,$1_gift_tmpfs_t,$1_gift_tmpfs_t)
+ manage_fifo_files_pattern($1_gift_t,$1_gift_tmpfs_t,$1_gift_tmpfs_t)
+ manage_sock_files_pattern($1_gift_t,$1_gift_tmpfs_t,$1_gift_tmpfs_t)
fs_tmpfs_filetrans($1_gift_t,$1_gift_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
- allow $1_gift_t $1_gift_home_t:dir manage_dir_perms;
- allow $1_gift_t $1_gift_home_t:file manage_file_perms;
- allow $1_gift_t $1_gift_home_t:lnk_file create_lnk_perms;
+ manage_dirs_pattern($1_gift_t,$1_gift_home_t,$1_gift_home_t)
+ manage_files_pattern($1_gift_t,$1_gift_home_t,$1_gift_home_t)
+ manage_lnk_files_pattern($1_gift_t,$1_gift_home_t,$1_gift_home_t)
userdom_user_home_dir_filetrans($1,$1_gift_t,$1_gift_home_t,dir)
# Launch gift daemon
- domain_auto_trans($1_gift_t, giftd_exec_t, $1_giftd_t)
- allow $1_giftd_t $1_gift_t:fd use;
- allow $1_giftd_t $1_gift_t:fifo_file rw_file_perms;
- allow $1_giftd_t $1_gift_t:process sigchld;
+ domtrans_pattern($1_gift_t, giftd_exec_t, $1_giftd_t)
# transition from user domain
- domain_auto_trans($2, gift_exec_t, $1_gift_t)
- allow $1_gift_t $2:fd use;
- allow $1_gift_t $2:fifo_file rw_file_perms;
- allow $1_gift_t $2:process sigchld;
+ domtrans_pattern($2, gift_exec_t, $1_gift_t)
# user managed content
- allow $2 $1_gift_home_t:dir manage_dir_perms;
- allow $2 $1_gift_home_t:file manage_file_perms;
- allow $2 $1_gift_home_t:lnk_file create_lnk_perms;
- allow $2 $1_gift_home_t:{ dir file lnk_file } { relabelfrom relabelto };
+ manage_dirs_pattern($2,$1_gift_home_t,$1_gift_home_t)
+ manage_files_pattern($2,$1_gift_home_t,$1_gift_home_t)
+ manage_lnk_files_pattern($2,$1_gift_home_t,$1_gift_home_t)
+ relabel_dirs_pattern($2,$1_gift_home_t,$1_gift_home_t)
+ relabel_files_pattern($2,$1_gift_home_t,$1_gift_home_t)
+ relabel_lnk_files_pattern($2,$1_gift_home_t,$1_gift_home_t)
# Allow the user domain to signal/ps.
- allow $2 $1_gift_t:dir { search getattr read };
- allow $2 $1_gift_t:{ file lnk_file } { read getattr };
- allow $2 $1_gift_t:process { getattr signal_perms };
+ ps_process_pattern($2,$1_gift_t)
+ allow $2 $1_gift_t:process signal_perms;
# Read /proc/meminfo
kernel_read_system_state($1_giftd_t)
@@ -150,15 +144,12 @@ template(`gift_per_role_template',`
allow $1_giftd_t self:tcp_socket create_stream_socket_perms;
allow $1_giftd_t self:udp_socket create_socket_perms;
- allow $1_giftd_t $1_gift_home_t:dir manage_dir_perms;
- allow $1_giftd_t $1_gift_home_t:file manage_file_perms;
- allow $1_giftd_t $1_gift_home_t:lnk_file create_lnk_perms;
+ manage_dirs_pattern($1_giftd_t,$1_gift_home_t,$1_gift_home_t)
+ manage_files_pattern($1_giftd_t,$1_gift_home_t,$1_gift_home_t)
+ manage_lnk_files_pattern($1_giftd_t,$1_gift_home_t,$1_gift_home_t)
userdom_user_home_dir_filetrans($1,$1_giftd_t,$1_gift_home_t,dir)
- domain_auto_trans($2, giftd_exec_t, $1_giftd_t)
- allow $1_giftd_t $2:fd use;
- allow $1_giftd_t $2:fifo_file rw_file_perms;
- allow $1_giftd_t $2:process sigchld;
+ domtrans_pattern($2, giftd_exec_t, $1_giftd_t)
kernel_read_system_state($1_giftd_t)
kernel_read_kernel_sysctls($1_giftd_t)
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
index 46ee2da3..d9b5fc96 100644
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
@@ -59,12 +59,12 @@ template(`gnome_per_role_template',`
allow $1_gconfd_t self:process getsched;
- allow $1_gconfd_t $1_gconf_home_t:dir manage_dir_perms;
- allow $1_gconfd_t $1_gconf_home_t:file manage_file_perms;
+ manage_dirs_pattern($1_gconfd_t,$1_gconf_home_t,$1_gconf_home_t)
+ manage_files_pattern($1_gconfd_t,$1_gconf_home_t,$1_gconf_home_t)
userdom_user_home_dir_filetrans($1, $1_gconfd_t, $1_gconf_home_t, dir)
- allow $1_gconfd_t $1_gconf_tmp_t:dir manage_dir_perms;
- allow $1_gconfd_t $1_gconf_tmp_t:file manage_file_perms;
+ manage_dirs_pattern($1_gconfd_t,$1_gconf_tmp_t,$1_gconf_tmp_t)
+ manage_files_pattern($1_gconfd_t,$1_gconf_tmp_t,$1_gconf_tmp_t)
userdom_user_tmp_filetrans($1,$1_gconfd_t,$1_gconf_tmp_t,{ dir file })
domain_auto_trans($2, gconfd_exec_t, $1_gconfd_t)
@@ -73,7 +73,7 @@ template(`gnome_per_role_template',`
allow $1_gconfd_t $2:unix_stream_socket connectto;
allow $1_gconfd_t gconf_etc_t:dir list_dir_perms;
- allow $1_gconfd_t gconf_etc_t:file read_file_perms;
+ read_files_pattern($1_gconfd_t,gconf_etc_t,gconf_etc_t)
dev_read_urand($1_gconfd_t)
@@ -125,5 +125,5 @@ template(`gnome_stream_connect_gconf_template',`
')
allow $2 $1_gconfd_t:unix_stream_socket connectto;
- allow $2 $1_gconf_tmp_t:file r_file_perms;
+ allow $2 $1_gconf_tmp_t:file read_file_perms;
')
diff --git a/policy/modules/apps/gpg.if b/policy/modules/apps/gpg.if
index b125e787..e3fbe91c 100644
--- a/policy/modules/apps/gpg.if
+++ b/policy/modules/apps/gpg.if
@@ -81,23 +81,20 @@ template(`gpg_per_role_template',`
# setrlimit is for ulimit -c 0
allow $1_gpg_t self:process { setrlimit setcap setpgid };
- allow $1_gpg_t self:fifo_file rw_file_perms;
+ allow $1_gpg_t self:fifo_file rw_fifo_file_perms;
allow $1_gpg_t self:tcp_socket create_stream_socket_perms;
- allow $1_gpg_t $1_gpg_secret_t:dir rw_dir_perms;
- allow $1_gpg_t $1_gpg_secret_t:file create_file_perms;
- allow $1_gpg_t $1_gpg_secret_t:lnk_file create_lnk_perms;
+ # transition from the gpg domain to the helper domain
+ domtrans_pattern($1_gpg_t,gpg_helper_exec_t,$1_gpg_helper_t)
+
+ manage_files_pattern($1_gpg_t,$1_gpg_secret_t,$1_gpg_secret_t)
+ manage_lnk_files_pattern($1_gpg_t,$1_gpg_secret_t,$1_gpg_secret_t)
# transition from the userdomain to the derived domain
- domain_auto_trans($2,gpg_exec_t,$1_gpg_t)
- allow $1_gpg_t $2:fd use;
- allow $1_gpg_t $2:fifo_file rw_file_perms;
- allow $1_gpg_t $2:process sigchld;
+ domtrans_pattern($2,gpg_exec_t,$1_gpg_t)
# allow ps to show gpg
- allow $2 $1_gpg_t:dir { search getattr read };
- allow $2 $1_gpg_t:{ file lnk_file } { read getattr };
- allow $2 $1_gpg_t:process getattr;
+ ps_process_pattern($2,$1_gpg_t)
corenet_non_ipsec_sendrecv($1_gpg_t)
corenet_tcp_sendrecv_all_if($1_gpg_t)
@@ -152,21 +149,14 @@ template(`gpg_per_role_template',`
# Note: this is only tested with the hkp interface. If you use eg the
# mail interface you will likely need additional permissions.
+ allow $1_gpg_helper_t self:unix_stream_socket create_stream_socket_perms;
+ allow $1_gpg_helper_t self:tcp_socket { connect connected_socket_perms };
+ allow $1_gpg_helper_t self:udp_socket { connect connected_socket_perms };
+
# communicate with the user
allow $1_gpg_helper_t $2:fd use;
allow $1_gpg_helper_t $2:fifo_file write;
- # transition from the gpg domain to the helper domain
- domain_auto_trans($1_gpg_t,gpg_helper_exec_t,$1_gpg_helper_t)
- allow $1_gpg_helper_t $1_gpg_t:fd use;
- allow $1_gpg_helper_t $1_gpg_t:fifo_file rw_file_perms;
- allow $1_gpg_helper_t $1_gpg_t:process sigchld;
-
- allow $1_gpg_helper_t self:unix_stream_socket create_stream_socket_perms;
-
- allow $1_gpg_helper_t self:tcp_socket { connect connected_socket_perms };
- allow $1_gpg_helper_t self:udp_socket { connect connected_socket_perms };
-
dontaudit $1_gpg_helper_t $1_gpg_secret_t:file read;
corenet_tcp_sendrecv_all_if($1_gpg_helper_t)
@@ -215,36 +205,29 @@ template(`gpg_per_role_template',`
allow $1_gpg_agent_t self:process setrlimit;
allow $1_gpg_agent_t self:unix_stream_socket create_stream_socket_perms ;
- allow $1_gpg_agent_t self:fifo_file rw_file_perms;
+ allow $1_gpg_agent_t self:fifo_file rw_fifo_file_perms;
# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
- allow $1_gpg_agent_t $1_gpg_secret_t:dir create_dir_perms;
- allow $1_gpg_agent_t $1_gpg_secret_t:file create_file_perms;
- allow $1_gpg_agent_t $1_gpg_secret_t:lnk_file create_lnk_perms;
+ manage_dirs_pattern($1_gpg_agent_t,$1_gpg_secret_t,$1_gpg_secret_t)
+ manage_files_pattern($1_gpg_agent_t,$1_gpg_secret_t,$1_gpg_secret_t)
+ manage_lnk_files_pattern($1_gpg_agent_t,$1_gpg_secret_t,$1_gpg_secret_t)
# allow gpg to connect to the gpg agent
- allow $1_gpg_t $1_gpg_agent_tmp_t:dir search;
- allow $1_gpg_t $1_gpg_agent_tmp_t:sock_file write;
- allow $1_gpg_t $1_gpg_agent_t:unix_stream_socket connectto;
+ stream_connect_pattern($1_gpg_t,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t,$1_gpg_agent_t)
# allow ps to show gpg-agent
- allow $2 $1_gpg_agent_t:dir { search getattr read };
- allow $2 $1_gpg_agent_t:{ file lnk_file } { read getattr };
- allow $2 $1_gpg_agent_t:process getattr;
+ ps_process_pattern($2,$1_gpg_agent_t)
# Allow the user shell to signal the gpg-agent program.
allow $2 $1_gpg_agent_t:process { signal sigkill };
- allow $2 $1_gpg_agent_tmp_t:dir create_dir_perms;
- allow $2 $1_gpg_agent_tmp_t:file create_file_perms;
- allow $2 $1_gpg_agent_tmp_t:sock_file create_file_perms;
+ manage_dirs_pattern($2,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
+ manage_files_pattern($2,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
+ manage_sock_files_pattern($2,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
files_tmp_filetrans($1_gpg_agent_t, $1_gpg_agent_tmp_t, { file sock_file dir })
# Transition from the user domain to the derived domain.
- domain_auto_trans($2, gpg_agent_exec_t, $1_gpg_agent_t)
- allow $1_gpg_agent_t $2:fd use;
- allow $1_gpg_agent_t $2:fifo_file rw_file_perms;
- allow $1_gpg_agent_t $2:process sigchld;
+ domtrans_pattern($2, gpg_agent_exec_t, $1_gpg_agent_t)
corecmd_search_bin($1_gpg_agent_t)
@@ -277,15 +260,12 @@ template(`gpg_per_role_template',`
# Pinentry local policy
#
+ allow $1_gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write };
+ allow $1_gpg_pinentry_t self:fifo_file rw_fifo_file_perms;
+
# we need to allow gpg-agent to call pinentry so it can get the passphrase
# from the user.
- domain_auto_trans($1_gpg_agent_t,pinentry_exec_t,$1_gpg_pinentry_t)
- allow $1_gpg_agent_t $1_gpg_pinentry_t:fd use;
- allow $1_gpg_agent_t $1_gpg_pinentry_t:fifo_file rw_file_perms;
- allow $1_gpg_agent_t $1_gpg_pinentry_t:process sigchld;
-
- allow $1_gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write };
- allow $1_gpg_pinentry_t self:fifo_file rw_file_perms;
+ domtrans_pattern($1_gpg_agent_t,pinentry_exec_t,$1_gpg_pinentry_t)
# read /proc/meminfo
kernel_read_system_state($1_gpg_pinentry_t)
@@ -366,11 +346,7 @@ template(`gpg_domtrans_user_gpg',`
type $1_gpg_t, gpg_exec_t;
')
- domain_auto_trans($2, gpg_exec_t, $1_gpg_t)
- allow $2 $1_gpg_t:fd use;
- allow $1_gpg_t $2:fd use;
- allow $1_gpg_t $2:fifo_file rw_file_perms;
- allow $1_gpg_t $2:process sigchld;
+ domtrans_pattern($2, gpg_exec_t, $1_gpg_t)
')
########################################
diff --git a/policy/modules/apps/irc.if b/policy/modules/apps/irc.if
index 16b2ae96..6debc0b0 100644
--- a/policy/modules/apps/irc.if
+++ b/policy/modules/apps/irc.if
@@ -62,40 +62,31 @@ template(`irc_per_role_template',`
# Local policy
#
- allow $1_irc_t self:dir search;
- allow $1_irc_t self:lnk_file read;
allow $1_irc_t self:unix_stream_socket create_stream_socket_perms;
allow $1_irc_t self:tcp_socket create_socket_perms;
allow $1_irc_t self:udp_socket create_socket_perms;
- allow $1_irc_t $1_irc_home_t:dir create_dir_perms;
- allow $1_irc_t $1_irc_home_t:file create_file_perms;
- allow $1_irc_t $1_irc_home_t:lnk_file create_lnk_perms;
+ manage_dirs_pattern($1_irc_t,$1_irc_home_t,$1_irc_home_t)
+ manage_files_pattern($1_irc_t,$1_irc_home_t,$1_irc_home_t)
+ manage_lnk_files_pattern($1_irc_t,$1_irc_home_t,$1_irc_home_t)
userdom_user_home_dir_filetrans($1,$1_irc_t,$1_irc_home_t,{ dir file lnk_file })
# access files under /tmp
- allow $1_irc_t $1_irc_tmp_t:dir create_dir_perms;
- allow $1_irc_t $1_irc_tmp_t:file create_file_perms;
- allow $1_irc_t $1_irc_tmp_t:lnk_file create_lnk_perms;
- allow $1_irc_t $1_irc_tmp_t:sock_file create_file_perms;
- allow $1_irc_t $1_irc_tmp_t:fifo_file create_file_perms;
+ manage_dirs_pattern($1_irc_t,$1_irc_tmp_t,$1_irc_tmp_t)
+ manage_files_pattern($1_irc_t,$1_irc_tmp_t,$1_irc_tmp_t)
+ manage_lnk_files_pattern($1_irc_t,$1_irc_tmp_t,$1_irc_tmp_t)
+ manage_fifo_files_pattern($1_irc_t,$1_irc_tmp_t,$1_irc_tmp_t)
+ manage_sock_files_pattern($1_irc_t,$1_irc_tmp_t,$1_irc_tmp_t)
files_tmp_filetrans($1_irc_t,$1_irc_tmp_t,{ file dir lnk_file sock_file fifo_file })
# Transition from the user domain to the derived domain.
- domain_auto_trans($2,irc_exec_t,$1_irc_t)
- allow $2 $1_irc_t:fd use;
- allow $1_irc_t $2:fd use;
- allow $1_irc_t $2:fifo_file rw_file_perms;
- allow $1_irc_t $2:process sigchld;
+ domtrans_pattern($2,irc_exec_t,$1_irc_t)
- allow $2 $1_irc_t:process signal;
-
- allow $2 $1_irc_exec_t:file { relabelfrom relabelto create_file_perms };
+ allow $2 $1_irc_exec_t:file { relabelfrom relabelto manage_file_perms };
# allow ps to show irc
- allow $2 $1_irc_t:dir { search getattr read };
- allow $2 $1_irc_t:{ file lnk_file } { read getattr };
- allow $2 $1_irc_t:process getattr;
+ ps_process_pattern($2,$1_irc_t)
+ allow $2 $1_irc_t:process signal;
kernel_read_proc_symlinks($1_irc_t)
diff --git a/policy/modules/apps/java.if b/policy/modules/apps/java.if
index 86175257..00e77445 100644
--- a/policy/modules/apps/java.if
+++ b/policy/modules/apps/java.if
@@ -59,7 +59,7 @@ template(`java_per_role_template',`
#
allow $1_javaplugin_t self:process { signal_perms getsched setsched execmem };
- allow $1_javaplugin_t self:fifo_file rw_file_perms;
+ allow $1_javaplugin_t self:fifo_file rw_fifo_file_perms;
allow $1_javaplugin_t self:tcp_socket create_socket_perms;
allow $1_javaplugin_t self:udp_socket create_socket_perms;
@@ -67,21 +67,18 @@ template(`java_per_role_template',`
allow $1_javaplugin_t $2:unix_stream_socket { read write };
userdom_write_user_tmp_sockets($1,$1_javaplugin_t)
- allow $1_javaplugin_t $1_javaplugin_tmp_t:dir create_dir_perms;
- allow $1_javaplugin_t $1_javaplugin_tmp_t:file create_file_perms;
+ manage_dirs_pattern($1_javaplugin_t,$1_javaplugin_tmp_t,$1_javaplugin_tmp_t)
+ manage_files_pattern($1_javaplugin_t,$1_javaplugin_tmp_t,$1_javaplugin_tmp_t)
files_tmp_filetrans($1_javaplugin_t,$1_javaplugin_tmp_t,{ file dir })
- allow $1_javaplugin_t $1_javaplugin_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write };
- allow $1_javaplugin_t $1_javaplugin_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename };
- allow $1_javaplugin_t $1_javaplugin_tmpfs_t:lnk_file { create read getattr setattr link unlink rename };
- allow $1_javaplugin_t $1_javaplugin_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
- allow $1_javaplugin_t $1_javaplugin_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
- fs_tmpfs_filetrans($1_javaplugin_t,$1_javaplugin_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+ manage_files_pattern($1_javaplugin_t,$1_javaplugin_tmpfs_t,$1_javaplugin_tmpfs_t)
+ manage_lnk_files_pattern($1_javaplugin_t,$1_javaplugin_tmpfs_t,$1_javaplugin_tmpfs_t)
+ manage_fifo_files_pattern($1_javaplugin_t,$1_javaplugin_tmpfs_t,$1_javaplugin_tmpfs_t)
+ manage_sock_files_pattern($1_javaplugin_t,$1_javaplugin_tmpfs_t,$1_javaplugin_tmpfs_t)
+ fs_tmpfs_filetrans($1_javaplugin_t,$1_javaplugin_tmpfs_t,{ file lnk_file sock_file fifo_file })
- # cjp: rw_dir_perms here doesnt make sense
- allow $1_javaplugin_t $1_home_t:dir rw_dir_perms;
- allow $1_javaplugin_t $1_home_t:file rw_file_perms;
- allow $1_javaplugin_t $1_home_t:lnk_file { getattr read };
+ rw_files_pattern($1_javaplugin_t,$1_home_t,$1_home_t)
+ read_files_pattern($1_javaplugin_t,$1_home_t,$1_home_t)
can_exec($1_javaplugin_t, java_exec_t)
@@ -189,12 +186,7 @@ interface(`java_domtrans',`
')
corecmd_search_bin($1)
- domain_auto_trans($1, java_exec_t, java_t)
-
- allow $1 java_t:fd use;
- allow java_t $1:fd use;
- allow java_t $1:fifo_file rw_file_perms;
- allow java_t $1:process sigchld;
+ domtrans_pattern($1, java_exec_t, java_t)
',`
refpolicywarn(`$0($1) has no effect in strict policy.')
')
diff --git a/policy/modules/apps/loadkeys.if b/policy/modules/apps/loadkeys.if
index d85b82c5..8515073e 100644
--- a/policy/modules/apps/loadkeys.if
+++ b/policy/modules/apps/loadkeys.if
@@ -17,12 +17,7 @@ interface(`loadkeys_domtrans',`
')
corecmd_search_bin($1)
- domain_auto_trans($1, loadkeys_exec_t, loadkeys_t)
-
- allow $1 loadkeys_t:fd use;
- allow loadkeys_t $1:fd use;
- allow loadkeys_t $1:fifo_file rw_file_perms;
- allow loadkeys_t $1:process sigchld;
+ domtrans_pattern($1, loadkeys_exec_t, loadkeys_t)
',`
refpolicywarn(`$0($*) has no effect in targeted policy.')
')
diff --git a/policy/modules/apps/loadkeys.te b/policy/modules/apps/loadkeys.te
index 8e7daf33..a8e2e118 100644
--- a/policy/modules/apps/loadkeys.te
+++ b/policy/modules/apps/loadkeys.te
@@ -30,7 +30,7 @@ ifdef(`targeted_policy',`
# loadkeys domain disabled in targeted policy
',`
allow loadkeys_t self:capability { setuid sys_tty_config };
- allow loadkeys_t self:fifo_file rw_file_perms;
+ allow loadkeys_t self:fifo_file rw_fifo_file_perms;
kernel_read_system_state(loadkeys_t)
diff --git a/policy/modules/apps/lockdev.if b/policy/modules/apps/lockdev.if
index c462bccc..3230ffa8 100644
--- a/policy/modules/apps/lockdev.if
+++ b/policy/modules/apps/lockdev.if
@@ -61,13 +61,9 @@ template(`lockdev_per_role_template',`
allow $1_lockdev_t $2:process signull;
# Transition from the user domain to the derived domain.
- domain_auto_trans($2, lockdev_exec_t, $1_lockdev_t)
- allow $2 $1_lockdev_t:fd use;
- allow $1_lockdev_t $2:fd use;
- allow $1_lockdev_t $2:fifo_file rw_file_perms;
- allow $1_lockdev_t $2:process sigchld;
+ domtrans_pattern($2, lockdev_exec_t, $1_lockdev_t)
- allow $1_lockdev_t $1_lockdev_lock_t:file create_file_perms;
+ allow $1_lockdev_t $1_lockdev_lock_t:file manage_file_perms;
files_lock_filetrans($1_lockdev_t,$1_lockdev_lock_t,file)
files_read_all_locks($1_lockdev_t)
diff --git a/policy/modules/apps/mono.if b/policy/modules/apps/mono.if
index 257fa437..24687545 100644
--- a/policy/modules/apps/mono.if
+++ b/policy/modules/apps/mono.if
@@ -16,10 +16,5 @@ interface(`mono_domtrans',`
')
corecmd_search_bin($1)
- domain_auto_trans($1, mono_exec_t, mono_t)
-
- allow $1 mono_t:fd use;
- allow mono_t $1:fd use;
- allow mono_t $1:fifo_file rw_file_perms;
- allow mono_t $1:process sigchld;
+ domtrans_pattern($1, mono_exec_t, mono_t)
')
diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
index 6f6f6a45..2e443c1c 100644
--- a/policy/modules/apps/mozilla.if
+++ b/policy/modules/apps/mozilla.if
@@ -57,6 +57,7 @@ template(`mozilla_per_role_template',`
#
# Local policy
#
+
allow $1_mozilla_t self:capability { sys_nice setgid setuid };
allow $1_mozilla_t self:process { sigkill signal setsched getsched setrlimit };
allow $1_mozilla_t self:fifo_file { getattr read write };
@@ -72,13 +73,13 @@ template(`mozilla_per_role_template',`
can_exec($1_mozilla_t, mozilla_exec_t)
# X access, Home files
- allow $1_mozilla_t $1_mozilla_home_t:dir manage_dir_perms;
- allow $1_mozilla_t $1_mozilla_home_t:file manage_file_perms;
- allow $1_mozilla_t $1_mozilla_home_t:lnk_file create_lnk_perms;
- fs_search_auto_mountpoints($1_mozilla_t)
+ manage_dirs_pattern($1_mozilla_t,$1_mozilla_home_t,$1_mozilla_home_t)
+ manage_files_pattern($1_mozilla_t,$1_mozilla_home_t,$1_mozilla_home_t)
+ manage_lnk_files_pattern($1_mozilla_t,$1_mozilla_home_t,$1_mozilla_home_t)
+ userdom_search_user_home_dirs($1,$1_mozilla_t)
# Mozpluggerrc
- allow $1_mozilla_t mozilla_conf_t:file r_file_perms;
+ allow $1_mozilla_t mozilla_conf_t:file read_file_perms;
allow $1_mozilla_t $2:fd use;
allow $1_mozilla_t $2:process sigchld;
@@ -89,28 +90,23 @@ template(`mozilla_per_role_template',`
allow $2 $1_mozilla_t:unix_stream_socket connectto;
# X access, Home files
- allow $2 $1_mozilla_home_t:dir manage_dir_perms;
- allow $2 $1_mozilla_home_t:file manage_file_perms;
- allow $2 $1_mozilla_home_t:lnk_file create_lnk_perms;
- allow $2 $1_mozilla_home_t:{ dir file lnk_file } { relabelfrom relabelto };
- userdom_search_user_home_dirs($1,$1_mozilla_t)
+ manage_dirs_pattern($2,$1_mozilla_home_t,$1_mozilla_home_t)
+ manage_files_pattern($2,$1_mozilla_home_t,$1_mozilla_home_t)
+ manage_lnk_files_pattern($2,$1_mozilla_home_t,$1_mozilla_home_t)
+ relabel_dirs_pattern($2,$1_mozilla_home_t,$1_mozilla_home_t)
+ relabel_files_pattern($2,$1_mozilla_home_t,$1_mozilla_home_t)
+ relabel_lnk_files_pattern($2,$1_mozilla_home_t,$1_mozilla_home_t)
- allow $1_mozilla_t $1_mozilla_tmpfs_t:dir rw_dir_perms;
- allow $1_mozilla_t $1_mozilla_tmpfs_t:file manage_file_perms;
- allow $1_mozilla_t $1_mozilla_tmpfs_t:lnk_file create_lnk_perms;
- allow $1_mozilla_t $1_mozilla_tmpfs_t:sock_file manage_file_perms;
- allow $1_mozilla_t $1_mozilla_tmpfs_t:fifo_file manage_file_perms;
- fs_tmpfs_filetrans($1_mozilla_t,$1_mozilla_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+ manage_files_pattern($1_mozilla_t,$1_mozilla_tmpfs_t,$1_mozilla_tmpfs_t)
+ manage_lnk_files_pattern($1_mozilla_t,$1_mozilla_tmpfs_t,$1_mozilla_tmpfs_t)
+ manage_fifo_files_pattern($1_mozilla_t,$1_mozilla_tmpfs_t,$1_mozilla_tmpfs_t)
+ manage_sock_files_pattern($1_mozilla_t,$1_mozilla_tmpfs_t,$1_mozilla_tmpfs_t)
+ fs_tmpfs_filetrans($1_mozilla_t,$1_mozilla_tmpfs_t,{ file lnk_file sock_file fifo_file })
- # Unrestricted inheritance from the caller.
- allow $2 $1_mozilla_t:process { noatsecure siginh rlimitinh };
allow $1_mozilla_t $2:process signull;
# Allow the user domain to signal/ps.
- allow $2 $1_mozilla_t:dir { search getattr read };
- allow $2 $1_mozilla_t:{ file lnk_file } { read getattr };
- allow $2 $1_mozilla_t:process getattr;
-
+ ps_process_pattern($2,$1_mozilla_t)
allow $2 $1_mozilla_t:process signal_perms;
kernel_read_kernel_sysctls($1_mozilla_t)
@@ -164,6 +160,7 @@ template(`mozilla_per_role_template',`
files_read_var_files($1_mozilla_t)
files_read_var_symlinks($1_mozilla_t)
+ fs_search_auto_mountpoints($1_mozilla_t)
fs_search_inotifyfs($1_mozilla_t)
fs_rw_tmpfs_files($1_mozilla_t)
@@ -208,6 +205,8 @@ template(`mozilla_per_role_template',`
# Type transition
tunable_policy(`! disable_mozilla_trans',`
domain_auto_trans($2, mozilla_exec_t, $1_mozilla_t)
+ # Unrestricted inheritance from the caller.
+ allow $2 $1_mozilla_t:process { noatsecure siginh rlimitinh };
')
# Uploads, local html
diff --git a/policy/modules/apps/mplayer.if b/policy/modules/apps/mplayer.if
index 45c3bf5e..47ee8ec8 100644
--- a/policy/modules/apps/mplayer.if
+++ b/policy/modules/apps/mplayer.if
@@ -61,26 +61,20 @@ template(`mplayer_per_role_template',`
# mencoder local policy
#
- allow $1_mencoder_t $1_mplayer_home_t:dir create_dir_perms;
- allow $1_mencoder_t $1_mplayer_home_t:file create_file_perms;
- allow $1_mencoder_t $1_mplayer_home_t:lnk_file create_lnk_perms;
+ manage_dirs_pattern($1_mencoder_t,$1_mplayer_home_t,$1_mplayer_home_t)
+ manage_files_pattern($1_mencoder_t,$1_mplayer_home_t,$1_mplayer_home_t)
+ manage_lnk_files_pattern($1_mencoder_t,$1_mplayer_home_t,$1_mplayer_home_t)
# Read global config
- allow $1_mencoder_t mplayer_etc_t:dir r_dir_perms;
- allow $1_mencoder_t mplayer_etc_t:file r_file_perms;
- allow $1_mencoder_t mplayer_etc_t:lnk_file { getattr read };
+ allow $1_mencoder_t mplayer_etc_t:dir list_dir_perms;
+ read_files_pattern($1_mencoder_t,mplayer_etc_t,mplayer_etc_t)
+ read_lnk_files_pattern($1_mencoder_t,mplayer_etc_t,mplayer_etc_t)
# domain transition
- domain_auto_trans($2, mencoder_exec_t, $1_mencoder_t)
- allow $2 $1_mencoder_t:fd use;
- allow $1_mencoder_t $2:fd use;
- allow $1_mencoder_t $2:fifo_file rw_file_perms;
- allow $1_mencoder_t $2:process sigchld;
+ domtrans_pattern($2, mencoder_exec_t, $1_mencoder_t)
# Allow the user domain to signal/ps.
- allow $2 $1_mencoder_t:dir { search getattr read };
- allow $2 $1_mencoder_t:{ file lnk_file } { read getattr };
- allow $2 $1_mencoder_t:process getattr;
+ ps_process_pattern($2,$1_mencoder_t,$1_mencoder_t)
allow $2 $1_mencoder_t:process signal_perms;
# Read /proc files and directories
@@ -254,42 +248,37 @@ template(`mplayer_per_role_template',`
#
allow $1_mplayer_t self:process { signal_perms getsched };
- allow $1_mplayer_t self:fifo_file rw_file_perms;
+ allow $1_mplayer_t self:fifo_file rw_fifo_file_perms;
- allow $1_mplayer_t $1_mplayer_home_t:dir manage_dir_perms;
- allow $1_mplayer_t $1_mplayer_home_t:file manage_file_perms;
- allow $1_mplayer_t $1_mplayer_home_t:lnk_file create_lnk_perms;
+ manage_dirs_pattern($1_mplayer_t,$1_mplayer_home_t,$1_mplayer_home_t)
+ manage_files_pattern($1_mplayer_t,$1_mplayer_home_t,$1_mplayer_home_t)
+ manage_lnk_files_pattern($1_mplayer_t,$1_mplayer_home_t,$1_mplayer_home_t)
userdom_search_user_home_dirs($1,$1_mplayer_t)
- allow $1_mplayer_t $1_mplayer_tmpfs_t:dir rw_dir_perms;
- allow $1_mplayer_t $1_mplayer_tmpfs_t:file manage_file_perms;
- allow $1_mplayer_t $1_mplayer_tmpfs_t:lnk_file create_lnk_perms;
- allow $1_mplayer_t $1_mplayer_tmpfs_t:sock_file manage_file_perms;
- allow $1_mplayer_t $1_mplayer_tmpfs_t:fifo_file manage_file_perms;
+ manage_files_pattern($1_mplayer_t,$1_mplayer_tmpfs_t,$1_mplayer_tmpfs_t)
+ manage_lnk_files_pattern($1_mplayer_t,$1_mplayer_tmpfs_t,$1_mplayer_tmpfs_t)
+ manage_fifo_files_pattern($1_mplayer_t,$1_mplayer_tmpfs_t,$1_mplayer_tmpfs_t)
+ manage_sock_files_pattern($1_mplayer_t,$1_mplayer_tmpfs_t,$1_mplayer_tmpfs_t)
fs_tmpfs_filetrans($1_mplayer_t,$1_mplayer_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
# Read global config
- allow $1_mplayer_t mplayer_etc_t:dir r_dir_perms;
- allow $1_mplayer_t mplayer_etc_t:file r_file_perms;
- allow $1_mplayer_t mplayer_etc_t:lnk_file { getattr read };
+ allow $1_mplayer_t mplayer_etc_t:dir list_dir_perms;
+ read_files_pattern($1_mplayer_t,mplayer_etc_t,mplayer_etc_t)
+ read_lnk_files_pattern($1_mplayer_t,mplayer_etc_t,mplayer_etc_t)
# Home access
- allow $2 $1_mplayer_home_t:dir manage_dir_perms;
- allow $2 $1_mplayer_home_t:file manage_file_perms;
- allow $2 $1_mplayer_home_t:lnk_file create_lnk_perms;
- allow $2 $1_mplayer_home_t:{ dir file lnk_file } { relabelfrom relabelto };
+ manage_dirs_pattern($2,$1_mplayer_home_t,$1_mplayer_home_t)
+ manage_files_pattern($2,$1_mplayer_home_t,$1_mplayer_home_t)
+ manage_lnk_files_pattern($2,$1_mplayer_home_t,$1_mplayer_home_t)
+ relabel_dirs_pattern($2,$1_mplayer_home_t,$1_mplayer_home_t)
+ relabel_files_pattern($2,$1_mplayer_home_t,$1_mplayer_home_t)
+ relabel_lnk_files_pattern($2,$1_mplayer_home_t,$1_mplayer_home_t)
# domain transition
- domain_auto_trans($2, mplayer_exec_t, $1_mplayer_t)
- allow $2 $1_mplayer_t:fd use;
- allow $1_mplayer_t $2:fd use;
- allow $1_mplayer_t $2:fifo_file rw_file_perms;
- allow $1_mplayer_t $2:process sigchld;
+ domtrans_pattern($2, mplayer_exec_t, $1_mplayer_t)
# Allow the user domain to signal/ps.
- allow $2 $1_mplayer_t:dir { search getattr read };
- allow $2 $1_mplayer_t:{ file lnk_file } { read getattr };
- allow $2 $1_mplayer_t:process getattr;
+ ps_process_pattern($2,$1_mplayer_t)
allow $2 $1_mplayer_t:process signal_perms;
kernel_dontaudit_list_unlabeled($1_mplayer_t)
diff --git a/policy/modules/apps/rssh.if b/policy/modules/apps/rssh.if
index 965e9888..8ed37fbc 100644
--- a/policy/modules/apps/rssh.if
+++ b/policy/modules/apps/rssh.if
@@ -53,7 +53,7 @@ template(`rssh_per_role_template',`
allow $1_rssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow $1_rssh_t self:fd use;
- allow $1_rssh_t self:fifo_file rw_file_perms;
+ allow $1_rssh_t self:fifo_file rw_fifo_file_perms;
allow $1_rssh_t self:unix_dgram_socket create_socket_perms;
allow $1_rssh_t self:unix_stream_socket create_stream_socket_perms;
allow $1_rssh_t self:unix_dgram_socket sendto;
@@ -67,10 +67,10 @@ template(`rssh_per_role_template',`
term_create_pty($1_rssh_t,$1_rssh_devpts_t)
allow $1_rssh_t $1_rssh_ro_t:dir list_dir_perms;
- allow $1_rssh_t $1_rssh_ro_t:file read_file_perms;
+ read_files_pattern($1_rssh_t,$1_rssh_ro_t,$1_rssh_ro_t)
- allow $1_rssh_t $1_rssh_rw_t:dir manage_dir_perms;
- allow $1_rssh_t $1_rssh_rw_t:file manage_file_perms;
+ manage_dirs_pattern($1_rssh_t,$1_rssh_rw_t,$1_rssh_rw_t)
+ manage_files_pattern($1_rssh_t,$1_rssh_rw_t,$1_rssh_rw_t)
kernel_read_system_state($1_rssh_t)
kernel_read_kernel_sysctls($1_rssh_t)
@@ -116,10 +116,7 @@ interface(`rssh_spec_domtrans_all_users',`
type rssh_exec_t;
')
- domain_trans($1,rssh_exec_t,rssh_domain_type)
- allow rssh_domain_type $1:fd use;
- allow rssh_domain_type $1:fifo_file rw_file_perms;
- allow rssh_domain_type $1:process sigchld;
+ spec_domtrans_pattern($1,rssh_exec_t,rssh_domain_type)
')
########################################
@@ -137,7 +134,7 @@ interface(`rssh_read_all_users_ro_content',`
attribute rssh_ro_content_type;
')
- allow $1 rssh_ro_content_type:dir r_dir_perms;
- allow $1 rssh_ro_content_type:file r_file_perms;
- allow $1 rssh_ro_content_type:lnk_file { getattr read };
+ allow $1 rssh_ro_content_type:dir list_dir_perms;
+ read_files_pattern($1,rssh_ro_content_type,rssh_ro_content_type)
+ read_lnk_files_pattern($1,rssh_ro_content_type,rssh_ro_content_type)
')
diff --git a/policy/modules/apps/screen.if b/policy/modules/apps/screen.if
index 48eb8846..ad5c105f 100644
--- a/policy/modules/apps/screen.if
+++ b/policy/modules/apps/screen.if
@@ -71,33 +71,33 @@ template(`screen_per_role_template',`
allow $1_screen_t self:unix_stream_socket create_socket_perms;
allow $1_screen_t self:unix_dgram_socket create_socket_perms;
- allow $1_screen_t $1_screen_tmp_t:dir create_dir_perms;
- allow $1_screen_t $1_screen_tmp_t:file create_file_perms;
- allow $1_screen_t $1_screen_tmp_t:fifo_file create_file_perms;
+ manage_dirs_pattern($1_screen_t,$1_screen_tmp_t,$1_screen_tmp_t)
+ manage_files_pattern($1_screen_t,$1_screen_tmp_t,$1_screen_tmp_t)
+ manage_fifo_files_pattern($1_screen_t,$1_screen_tmp_t,$1_screen_tmp_t)
files_tmp_filetrans($1_screen_t, $1_screen_tmp_t, { file dir })
# Create fifo
- allow $1_screen_t screen_dir_t:dir rw_dir_perms;
- allow $1_screen_t screen_dir_t:dir create_dir_perms;
- allow $1_screen_t $1_screen_var_run_t:fifo_file create_file_perms;
- type_transition $1_screen_t screen_dir_t:fifo_file $1_screen_var_run_t;
+ manage_fifo_files_pattern($1_screen_t,screen_dir_t,$1_screen_var_run_t)
+ manage_dirs_pattern($1_screen_t,screen_dir_t,screen_dir_t)
+ filetrans_pattern($1_screen_t,screen_dir_t,$1_screen_var_run_t,fifo_file)
files_pid_filetrans($1_screen_t,screen_dir_t,dir)
- allow $1_screen_t $1_screen_ro_home_t:dir r_dir_perms;
- allow $1_screen_t $1_screen_ro_home_t:file r_file_perms;
- allow $1_screen_t $1_screen_ro_home_t:lnk_file { read getattr };
+ allow $1_screen_t $1_screen_ro_home_t:dir list_dir_perms;
+ read_files_pattern($1_screen_t,$1_screen_ro_home_t,$1_screen_ro_home_t)
+ read_lnk_files_pattern($1_screen_t,$1_screen_ro_home_t,$1_screen_ro_home_t)
- domain_auto_trans($2, screen_exec_t, $1_screen_t)
+ allow $1_screen_t $2:process signal;
+
+ domtrans_pattern($2, screen_exec_t, $1_screen_t)
allow $2 $1_screen_t:process signal;
- allow $1_screen_t $2:process { signal sigchld };
- allow $1_screen_t $2:fd use;
- allow $1_screen_t $2:fifo_file rw_file_perms;
- allow $1_screen_t $1_home_dir_t:dir { search getattr };
+ allow $1_screen_t $2:process signal;
- allow $2 $1_screen_ro_home_t:dir create_dir_perms;
- allow $2 $1_screen_ro_home_t:file create_file_perms;
- allow $2 $1_screen_ro_home_t:lnk_file create_lnk_perms;
- allow $2 $1_screen_ro_home_t:{ dir file lnk_file } { relabelfrom relabelto };
+ manage_dirs_pattern($2,$1_screen_ro_home_t,$1_screen_ro_home_t)
+ manage_files_pattern($2,$1_screen_ro_home_t,$1_screen_ro_home_t)
+ manage_lnk_files_pattern($2,$1_screen_ro_home_t,$1_screen_ro_home_t)
+ relabel_dirs_pattern($2,$1_screen_ro_home_t,$1_screen_ro_home_t)
+ relabel_files_pattern($2,$1_screen_ro_home_t,$1_screen_ro_home_t)
+ relabel_lnk_files_pattern($2,$1_screen_ro_home_t,$1_screen_ro_home_t)
kernel_read_system_state($1_screen_t)
kernel_read_kernel_sysctls($1_screen_t)
@@ -190,11 +190,4 @@ template(`screen_per_role_template',`
optional_policy(`
nscd_socket_use($1_screen_t)
')
-
- ifdef(`TODO',`
- # Inherit and use descriptors from gnome-pty-helper.
- optional_policy(`
- allow $1_screen_t $1_gph_t:fd use;
- ')
- ') dnl TODO
')
diff --git a/policy/modules/apps/slocate.if b/policy/modules/apps/slocate.if
index 4abc8b21..1d3e061e 100644
--- a/policy/modules/apps/slocate.if
+++ b/policy/modules/apps/slocate.if
@@ -16,6 +16,6 @@ interface(`slocate_create_append_log',`
')
logging_search_logs($1)
- allow $1 locate_log_t:dir ra_dir_perms;
- allow $1 locate_log_t:file { create append getattr };
+ create_files_pattern($1,locate_log_t,locate_log_t)
+ append_files_pattern($1,locate_log_t,locate_log_t)
')
diff --git a/policy/modules/apps/slocate.te b/policy/modules/apps/slocate.te
index e93fb0fa..28c3b0ba 100644
--- a/policy/modules/apps/slocate.te
+++ b/policy/modules/apps/slocate.te
@@ -23,11 +23,11 @@ files_type(locate_var_lib_t)
allow locate_t self:capability { chown dac_read_search dac_override fowner fsetid };
allow locate_t self:process { execmem execheap execstack };
-allow locate_t self:fifo_file rw_file_perms;
+allow locate_t self:fifo_file rw_fifo_file_perms;
allow locate_t self:unix_stream_socket create_socket_perms;
-allow locate_t locate_var_lib_t:dir create_dir_perms;
-allow locate_t locate_var_lib_t:file create_file_perms;
+manage_dirs_pattern(locate_t,locate_var_lib_t,locate_var_lib_t)
+manage_files_pattern(locate_t,locate_var_lib_t,locate_var_lib_t)
kernel_read_system_state(locate_t)
kernel_dontaudit_search_sysctl(locate_t)
diff --git a/policy/modules/apps/thunderbird.if b/policy/modules/apps/thunderbird.if
index 1e5f7a17..9a77b220 100644
--- a/policy/modules/apps/thunderbird.if
+++ b/policy/modules/apps/thunderbird.if
@@ -64,16 +64,15 @@ template(`thunderbird_per_role_template',`
allow $1_thunderbird_t self:shm { read write create destroy unix_read unix_write };
# Access ~/.thunderbird
- allow $1_thunderbird_t $1_thunderbird_home_t:dir manage_dir_perms;
- allow $1_thunderbird_t $1_thunderbird_home_t:file manage_file_perms;
- allow $1_thunderbird_t $1_thunderbird_home_t:lnk_file create_lnk_perms;
+ manage_dirs_pattern($1_thunderbird_t,$1_thunderbird_home_t,$1_thunderbird_home_t)
+ manage_files_pattern($1_thunderbird_t,$1_thunderbird_home_t,$1_thunderbird_home_t)
+ manage_lnk_files_pattern($1_thunderbird_t,$1_thunderbird_home_t,$1_thunderbird_home_t)
userdom_search_user_home_dirs($1,$1_thunderbird_t)
- allow $1_thunderbird_t $1_thunderbird_tmpfs_t:dir rw_dir_perms;
- allow $1_thunderbird_t $1_thunderbird_tmpfs_t:file manage_file_perms;
- allow $1_thunderbird_t $1_thunderbird_tmpfs_t:lnk_file create_lnk_perms;
- allow $1_thunderbird_t $1_thunderbird_tmpfs_t:sock_file manage_file_perms;
- allow $1_thunderbird_t $1_thunderbird_tmpfs_t:fifo_file manage_file_perms;
+ manage_files_pattern($1_thunderbird_t,$1_thunderbird_tmpfs_t,$1_thunderbird_tmpfs_t)
+ manage_lnk_files_pattern($1_thunderbird_t,$1_thunderbird_tmpfs_t,$1_thunderbird_tmpfs_t)
+ manage_fifo_files_pattern($1_thunderbird_t,$1_thunderbird_tmpfs_t,$1_thunderbird_tmpfs_t)
+ manage_sock_files_pattern($1_thunderbird_t,$1_thunderbird_tmpfs_t,$1_thunderbird_tmpfs_t)
fs_tmpfs_filetrans($1_thunderbird_t,$1_thunderbird_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
allow $2 $1_thunderbird_t:fd use;
@@ -84,15 +83,15 @@ template(`thunderbird_per_role_template',`
allow $1_thunderbird_t $2:unix_stream_socket connectto;
# Allow the user domain to signal/ps.
- allow $2 $1_thunderbird_t:dir { search getattr read };
- allow $2 $1_thunderbird_t:{ file lnk_file } { read getattr };
- allow $2 $1_thunderbird_t:process getattr;
+ ps_process_pattern($2,$1_thunderbird_t)
# Access ~/.thunderbird
- allow $2 $1_thunderbird_home_t:dir manage_dir_perms;
- allow $2 $1_thunderbird_home_t:file manage_file_perms;
- allow $2 $1_thunderbird_home_t:lnk_file create_lnk_perms;
- allow $2 $1_thunderbird_home_t:{ dir file lnk_file } { relabelfrom relabelto };
+ manage_dirs_pattern($2,$1_thunderbird_home_t,$1_thunderbird_home_t)
+ manage_files_pattern($2,$1_thunderbird_home_t,$1_thunderbird_home_t)
+ manage_lnk_files_pattern($2,$1_thunderbird_home_t,$1_thunderbird_home_t)
+ relabel_dirs_pattern($2,$1_thunderbird_home_t,$1_thunderbird_home_t)
+ relabel_files_pattern($2,$1_thunderbird_home_t,$1_thunderbird_home_t)
+ relabel_lnk_files_pattern($2,$1_thunderbird_home_t,$1_thunderbird_home_t)
# Allow netstat
kernel_read_network_state($1_thunderbird_t)
diff --git a/policy/modules/apps/tvtime.if b/policy/modules/apps/tvtime.if
index f7431699..679e1b95 100644
--- a/policy/modules/apps/tvtime.if
+++ b/policy/modules/apps/tvtime.if
@@ -65,40 +65,34 @@ template(`tvtime_per_role_template',`
allow $1_tvtime_t self:unix_stream_socket rw_stream_socket_perms;
# X access, Home files
- allow $1_tvtime_t $1_tvtime_home_t:dir manage_dir_perms;
- allow $1_tvtime_t $1_tvtime_home_t:file manage_file_perms;
- allow $1_tvtime_t $1_tvtime_home_t:lnk_file create_lnk_perms;
- type_transition $1_tvtime_t $1_home_dir_t:dir $1_tvtime_home_t;
+ manage_dirs_pattern($1_tvtime_t,$1_tvtime_home_t,$1_tvtime_home_t)
+ manage_files_pattern($1_tvtime_t,$1_tvtime_home_t,$1_tvtime_home_t)
+ manage_lnk_files_pattern($1_tvtime_t,$1_tvtime_home_t,$1_tvtime_home_t)
userdom_user_home_dir_filetrans($1,$1_tvtime_t,$1_tvtime_home_t,dir)
- allow $1_tvtime_t $1_tvtime_tmp_t:dir create_dir_perms;
- allow $1_tvtime_t $1_tvtime_tmp_t:file create_file_perms;
- files_tmp_filetrans($1_tvtime_t, $1_tvtime_tmp_t, { file dir fifo_file })
+ manage_dirs_pattern($1_tvtime_t,$1_tvtime_tmp_t,$1_tvtime_tmp_t)
+ manage_files_pattern($1_tvtime_t,$1_tvtime_tmp_t,$1_tvtime_tmp_t)
+ files_tmp_filetrans($1_tvtime_t, $1_tvtime_tmp_t,{ file dir })
- allow $1_tvtime_t $1_tvtime_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write };
- allow $1_tvtime_t $1_tvtime_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename };
- allow $1_tvtime_t $1_tvtime_tmpfs_t:lnk_file { create read getattr setattr link unlink rename };
- allow $1_tvtime_t $1_tvtime_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
- allow $1_tvtime_t $1_tvtime_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
- fs_tmpfs_filetrans($1_tvtime_t,$1_tvtime_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+ manage_files_pattern($1_tvtime_t,$1_tvtime_tmpfs_t,$1_tvtime_tmpfs_t)
+ manage_lnk_files_pattern($1_tvtime_t,$1_tvtime_tmpfs_t,$1_tvtime_tmpfs_t)
+ manage_fifo_files_pattern($1_tvtime_t,$1_tvtime_tmpfs_t,$1_tvtime_tmpfs_t)
+ manage_sock_files_pattern($1_tvtime_t,$1_tvtime_tmpfs_t,$1_tvtime_tmpfs_t)
+ fs_tmpfs_filetrans($1_tvtime_t,$1_tvtime_tmpfs_t,{ file lnk_file sock_file fifo_file })
# Type transition
- domain_auto_trans($2, tvtime_exec_t, $1_tvtime_t)
- allow $2 $1_tvtime_t:fd use;
- allow $1_tvtime_t $2:fd use;
- allow $1_tvtime_t $2:fifo_file rw_file_perms;
- allow $1_tvtime_t $2:process sigchld;
+ domtrans_pattern($2, tvtime_exec_t, $1_tvtime_t)
# X access, Home files
- allow $2 $1_tvtime_home_t:dir manage_dir_perms;
- allow $2 $1_tvtime_home_t:file manage_file_perms;
- allow $2 $1_tvtime_home_t:lnk_file create_lnk_perms;
- allow $2 $1_tvtime_home_t:{ dir file lnk_file } { relabelfrom relabelto };
+ manage_dirs_pattern($2,$1_tvtime_home_t,$1_tvtime_home_t)
+ manage_files_pattern($2,$1_tvtime_home_t,$1_tvtime_home_t)
+ manage_lnk_files_pattern($2,$1_tvtime_home_t,$1_tvtime_home_t)
+ relabel_dirs_pattern($2,$1_tvtime_home_t,$1_tvtime_home_t)
+ relabel_files_pattern($2,$1_tvtime_home_t,$1_tvtime_home_t)
+ relabel_lnk_files_pattern($2,$1_tvtime_home_t,$1_tvtime_home_t)
# Allow the user domain to signal/ps.
- allow $2 $1_tvtime_t:dir { search getattr read };
- allow $2 $1_tvtime_t:{ file lnk_file } { read getattr };
- allow $2 $1_tvtime_t:process getattr;
+ ps_process_pattern($2,$1_tvtime_t)
allow $2 $1_tvtime_t:process signal_perms;
kernel_read_all_sysctls($1_tvtime_t)
diff --git a/policy/modules/apps/uml.if b/policy/modules/apps/uml.if
index a599b7d5..37c5c7e9 100644
--- a/policy/modules/apps/uml.if
+++ b/policy/modules/apps/uml.if
@@ -64,7 +64,8 @@ template(`uml_per_role_template',`
#
# Local policy
#
- allow $1_uml_t self:fifo_file rw_file_perms;
+
+ allow $1_uml_t self:fifo_file rw_fifo_file_perms;
allow $1_uml_t self:process { signal_perms ptrace };
allow $1_uml_t self:unix_stream_socket create_stream_socket_perms;
allow $1_uml_t self:unix_dgram_socket create_socket_perms;
@@ -79,52 +80,58 @@ template(`uml_per_role_template',`
allow $1_uml_t $1_uml_devpts_t:chr_file { rw_file_perms setattr };
term_create_pty($1_uml_t,$1_uml_devpts_t)
- allow $1_uml_t $1_uml_tmp_t:dir create_dir_perms;
- allow $1_uml_t $1_uml_tmp_t:file create_file_perms;
+ manage_dirs_pattern($1_uml_t,$1_uml_tmp_t,$1_uml_tmp_t)
+ manage_files_pattern($1_uml_t,$1_uml_tmp_t,$1_uml_tmp_t)
files_tmp_filetrans($1_uml_t, $1_uml_tmp_t, { file dir })
can_exec($1_uml_t, $1_uml_tmp_t)
- allow $1_uml_t $1_uml_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write };
- allow $1_uml_t $1_uml_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename };
- allow $1_uml_t $1_uml_tmpfs_t:lnk_file { create read getattr setattr link unlink rename };
- allow $1_uml_t $1_uml_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
- allow $1_uml_t $1_uml_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
- fs_tmpfs_filetrans($1_uml_t,$1_uml_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+ manage_files_pattern($1_uml_t,$1_uml_tmpfs_t,$1_uml_tmpfs_t)
+ manage_lnk_files_pattern($1_uml_t,$1_uml_tmpfs_t,$1_uml_tmpfs_t)
+ manage_fifo_files_pattern($1_uml_t,$1_uml_tmpfs_t,$1_uml_tmpfs_t)
+ manage_sock_files_pattern($1_uml_t,$1_uml_tmpfs_t,$1_uml_tmpfs_t)
+ fs_tmpfs_filetrans($1_uml_t,$1_uml_tmpfs_t,{ file lnk_file sock_file fifo_file })
can_exec($1_uml_t, $1_uml_tmpfs_t)
# access config files
- allow $1_uml_t { $1_uml_ro_t uml_ro_t }:dir r_dir_perms;
- allow $1_uml_t { $1_uml_ro_t uml_ro_t }:file r_file_perms;
- allow $1_uml_t { $1_uml_ro_t uml_ro_t }:lnk_file { getattr read };
+ allow $1_uml_t { $1_uml_ro_t uml_ro_t }:dir list_dir_perms;
+ read_files_pattern($1_uml_t,{ $1_uml_ro_t uml_ro_t },{ $1_uml_ro_t uml_ro_t })
+ read_lnk_files_pattern($1_uml_t,{ $1_uml_ro_t uml_ro_t },{ $1_uml_ro_t uml_ro_t })
- allow $1_uml_t $1_uml_rw_t:dir create_dir_perms;
- allow $1_uml_t $1_uml_rw_t:file create_file_perms;
- allow $1_uml_t $1_uml_rw_t:lnk_file create_lnk_perms;
- allow $1_uml_t $1_uml_rw_t:sock_file create_file_perms;
- allow $1_uml_t $1_uml_rw_t:fifo_file create_file_perms;
+ manage_dirs_pattern($1_uml_t,$1_uml_rw_t,$1_uml_rw_t)
+ manage_files_pattern($1_uml_t,$1_uml_rw_t,$1_uml_rw_t)
+ manage_lnk_files_pattern($1_uml_t,$1_uml_rw_t,$1_uml_rw_t)
+ manage_fifo_files_pattern($1_uml_t,$1_uml_rw_t,$1_uml_rw_t)
+ manage_sock_files_pattern($1_uml_t,$1_uml_rw_t,$1_uml_rw_t)
userdom_user_home_dir_filetrans($1,$1_uml_t,$1_uml_rw_t,{ file lnk_file sock_file fifo_file })
- allow $2 uml_ro_t:dir r_dir_perms;
- allow $2 uml_ro_t:file r_file_perms;
- allow $2 uml_ro_t:lnk_file { getattr read };
+ allow $2 uml_ro_t:dir list_dir_perms;
+ read_files_pattern($2,uml_ro_t,uml_ro_t)
+ read_lnk_files_pattern($2,uml_ro_t,uml_ro_t)
- allow $2 { $1_uml_ro_t $1_uml_rw_t }:{ file sock_file fifo_file } { relabelfrom relabelto create_file_perms };
- allow $2 { $1_uml_ro_t $1_uml_rw_t }:lnk_file { relabelfrom relabelto create_lnk_perms };
- allow $2 { $1_uml_ro_t $1_uml_rw_t $1_uml_exec_t }:dir { relabelfrom relabelto create_dir_perms };
- allow $2 $1_uml_exec_t:file { relabelfrom relabelto create_file_perms };
+ manage_dirs_pattern($2,{ $1_uml_ro_t $1_uml_rw_t },{ $1_uml_ro_t $1_uml_rw_t })
+ manage_files_pattern($2,{ $1_uml_ro_t $1_uml_rw_t },{ $1_uml_ro_t $1_uml_rw_t })
+ manage_lnk_files_pattern($2,{ $1_uml_ro_t $1_uml_rw_t },{ $1_uml_ro_t $1_uml_rw_t })
+ manage_fifo_files_pattern($2,{ $1_uml_ro_t $1_uml_rw_t },{ $1_uml_ro_t $1_uml_rw_t })
+ manage_sock_files_pattern($2,{ $1_uml_ro_t $1_uml_rw_t },{ $1_uml_ro_t $1_uml_rw_t })
+ relabel_dirs_pattern($2,{ $1_uml_ro_t $1_uml_rw_t },{ $1_uml_ro_t $1_uml_rw_t })
+ relabel_files_pattern($2,{ $1_uml_ro_t $1_uml_rw_t },{ $1_uml_ro_t $1_uml_rw_t })
+ relabel_lnk_files_pattern($2,{ $1_uml_ro_t $1_uml_rw_t },{ $1_uml_ro_t $1_uml_rw_t })
+ relabel_fifo_files_pattern($2,{ $1_uml_ro_t $1_uml_rw_t },{ $1_uml_ro_t $1_uml_rw_t })
+ relabel_sock_files_pattern($2,{ $1_uml_ro_t $1_uml_rw_t },{ $1_uml_ro_t $1_uml_rw_t })
- allow $2 $1_uml_t:process ptrace;
- allow $2 $1_uml_t:process signal_perms;
+ manage_dirs_pattern($2,{ $1_uml_ro_t $1_uml_rw_t $1_uml_exec_t },{ $1_uml_ro_t $1_uml_rw_t $1_uml_exec_t })
+ manage_files_pattern($2,{ $1_uml_ro_t $1_uml_rw_t $1_uml_exec_t },{ $1_uml_ro_t $1_uml_rw_t $1_uml_exec_t })
+ relabel_dirs_pattern($2,{ $1_uml_ro_t $1_uml_rw_t $1_uml_exec_t },{ $1_uml_ro_t $1_uml_rw_t $1_uml_exec_t })
+ relabel_files_pattern($2,{ $1_uml_ro_t $1_uml_rw_t $1_uml_exec_t },{ $1_uml_ro_t $1_uml_rw_t $1_uml_exec_t })
# allow ps, ptrace, signal
- allow $2 $1_uml_t:dir { search getattr read };
- allow $2 $1_uml_t:{ file lnk_file } { read getattr };
- allow $2 $1_uml_t:process getattr;
+ ps_process_pattern($2,$1_uml_t)
+ allow $2 $1_uml_t:process { ptrace signal_perms };
- allow $2 $1_uml_tmp_t:dir create_dir_perms;
- allow $2 $1_uml_tmp_t:file create_file_perms;
- allow $2 $1_uml_tmp_t:lnk_file create_lnk_perms;
- allow $2 $1_uml_tmp_t:sock_file create_file_perms;
+ manage_dirs_pattern($2,$1_uml_tmp_t,$1_uml_tmp_t)
+ manage_files_pattern($2,$1_uml_tmp_t,$1_uml_tmp_t)
+ manage_lnk_files_pattern($2,$1_uml_tmp_t,$1_uml_tmp_t)
+ manage_sock_files_pattern($2,$1_uml_tmp_t,$1_uml_tmp_t)
# Transition from the user domain to this domain.
domain_auto_trans($2, { uml_exec_t $1_uml_exec_t }, $1_uml_t)
@@ -245,7 +252,6 @@ interface(`uml_manage_util_files',`
type uml_switch_var_run_t;
')
- allow $1 uml_switch_var_run_t:dir rw_dir_perms;
- allow $1 uml_switch_var_run_t:file create_file_perms;
- allow $1 uml_switch_var_run_t:lnk_file create_lnk_perms;
+ manage_files_pattern($1,uml_switch_var_run_t,uml_switch_var_run_t)
+ manage_lnk_files_pattern($1,uml_switch_var_run_t,uml_switch_var_run_t)
')
diff --git a/policy/modules/apps/uml.te b/policy/modules/apps/uml.te
index ccce2af4..47916306 100644
--- a/policy/modules/apps/uml.te
+++ b/policy/modules/apps/uml.te
@@ -29,9 +29,8 @@ allow uml_switch_t self:process signal_perms;
allow uml_switch_t self:unix_dgram_socket create_socket_perms;
allow uml_switch_t self:unix_stream_socket create_stream_socket_perms;
-allow uml_switch_t uml_switch_var_run_t:sock_file create_file_perms;
-allow uml_switch_t uml_switch_var_run_t:file create_file_perms;
-allow uml_switch_t uml_switch_var_run_t:dir rw_dir_perms;
+manage_files_pattern(uml_switch_t,uml_switch_var_run_t,uml_switch_var_run_t)
+manage_sock_files_pattern(uml_switch_t,uml_switch_var_run_t,uml_switch_var_run_t)
files_pid_filetrans(uml_switch_t,uml_switch_var_run_t,file)
kernel_read_kernel_sysctls(uml_switch_t)
diff --git a/policy/modules/apps/userhelper.if b/policy/modules/apps/userhelper.if
index e755216b..4cd3e013 100644
--- a/policy/modules/apps/userhelper.if
+++ b/policy/modules/apps/userhelper.if
@@ -57,8 +57,9 @@ template(`userhelper_per_role_template',`
#
allow $1_userhelper_t self:capability { setuid setgid net_bind_service dac_override chown sys_tty_config };
allow $1_userhelper_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow $1_userhelper_t self:process setexec;
allow $1_userhelper_t self:fd use;
- allow $1_userhelper_t self:fifo_file rw_file_perms;
+ allow $1_userhelper_t self:fifo_file rw_fifo_file_perms;
allow $1_userhelper_t self:shm create_shm_perms;
allow $1_userhelper_t self:sem create_sem_perms;
allow $1_userhelper_t self:msgq create_msgq_perms;
@@ -67,19 +68,13 @@ template(`userhelper_per_role_template',`
allow $1_userhelper_t self:unix_stream_socket create_stream_socket_perms;
allow $1_userhelper_t self:unix_dgram_socket sendto;
allow $1_userhelper_t self:unix_stream_socket connectto;
- allow $1_userhelper_t self:sock_file r_file_perms;
+ allow $1_userhelper_t self:sock_file read_sock_file_perms;
#Transition to the derived domain.
- domain_auto_trans($2,userhelper_exec_t,$1_userhelper_t)
- allow $2 $1_userhelper_t:fd use;
- allow $1_userhelper_t $2:fd use;
- allow $1_userhelper_t $2:fifo_file rw_file_perms;
- allow $1_userhelper_t $2:process sigchld;
+ domtrans_pattern($2,userhelper_exec_t,$1_userhelper_t)
- allow $1_userhelper_t self:process setexec;
-
- allow $1_userhelper_t userhelper_conf_t:file rw_file_perms;
allow $1_userhelper_t userhelper_conf_t:dir rw_dir_perms;
+ rw_files_pattern($1_userhelper_t,userhelper_conf_t,userhelper_conf_t)
can_exec($1_userhelper_t, userhelper_exec_t)
@@ -199,11 +194,11 @@ template(`userhelper_per_role_template',`
allow $1_userhelper_t gphdomain:fd use;
')
optional_policy(`
- domain_auto_trans($1_userhelper_t, xauth_exec_t, $1_xauth_t)
+ domtrans_pattern($1_userhelper_t, xauth_exec_t, $1_xauth_t)
allow $1_userhelper_t $1_xauth_home_t:file { getattr read };
')
optional_policy(`
- domain_auto_trans($1_mozilla_t, userhelper_exec_t, $1_userhelper_t)
+ domtrans_pattern($1_mozilla_t, userhelper_exec_t, $1_userhelper_t)
')
# for when the network connection is killed
dontaudit unpriv_userdomain $1_userhelper_t:process signal;
@@ -269,6 +264,7 @@ template(`userhelper_use_user_fd',`
allow $2 $1_userhelper_t:fd use;
')
+
########################################
##
## Allow domain to send sigchld to userhelper.
diff --git a/policy/modules/apps/usernetctl.if b/policy/modules/apps/usernetctl.if
index 49a9779f..9b2d76ea 100644
--- a/policy/modules/apps/usernetctl.if
+++ b/policy/modules/apps/usernetctl.if
@@ -16,12 +16,7 @@ interface(`usernetctl_domtrans',`
')
tunable_policy(`user_net_control',`
- domain_auto_trans($1,usernetctl_exec_t,usernetctl_t)
-
- allow $1 usernetctl_t:fd use;
- allow usernetctl_t $1:fd use;
- allow usernetctl_t $1:fifo_file rw_file_perms;
- allow usernetctl_t $1:process sigchld;
+ domtrans_pattern($1,usernetctl_exec_t,usernetctl_t)
',`
can_exec($1,usernetctl_exec_t)
')
diff --git a/policy/modules/apps/usernetctl.te b/policy/modules/apps/usernetctl.te
index 8a51e3fc..e45c4a73 100644
--- a/policy/modules/apps/usernetctl.te
+++ b/policy/modules/apps/usernetctl.te
@@ -20,7 +20,7 @@ domain_interactive_fd(usernetctl_t)
allow usernetctl_t self:capability { setuid setgid dac_override };
allow usernetctl_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow usernetctl_t self:fd use;
-allow usernetctl_t self:fifo_file rw_file_perms;
+allow usernetctl_t self:fifo_file rw_fifo_file_perms;
allow usernetctl_t self:shm create_shm_perms;
allow usernetctl_t self:sem create_sem_perms;
allow usernetctl_t self:msgq create_msgq_perms;
diff --git a/policy/modules/apps/vmware.if b/policy/modules/apps/vmware.if
index 8ed664ac..2033523e 100644
--- a/policy/modules/apps/vmware.if
+++ b/policy/modules/apps/vmware.if
@@ -64,17 +64,12 @@ template(`vmware_per_role_template',`
# Local policy
#
- domain_auto_trans($2, vmware_exec_t, $1_vmware_t)
- allow $1_vmware_t $2:fd use;
- allow $1_vmware_t $2:fifo_file rw_file_perms;
- allow $1_vmware_t $2:process sigchld;
-
allow $1_vmware_t self:capability { dac_override setgid sys_nice sys_resource setuid sys_admin sys_rawio chown };
dontaudit $1_vmware_t self:capability sys_tty_config;
allow $1_vmware_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow $1_vmware_t self:process { execmem execstack };
allow $1_vmware_t self:fd use;
- allow $1_vmware_t self:fifo_file rw_file_perms;
+ allow $1_vmware_t self:fifo_file rw_fifo_file_perms;
allow $1_vmware_t self:unix_dgram_socket create_socket_perms;
allow $1_vmware_t self:unix_stream_socket create_stream_socket_perms;
allow $1_vmware_t self:unix_dgram_socket sendto;
@@ -90,33 +85,34 @@ template(`vmware_per_role_template',`
allow $1_vmware_t $1_vmware_conf_t:file manage_file_perms;
# VMWare disks
- allow $1_vmware_t $1_vmware_file_t:dir rw_dir_perms;
- allow $1_vmware_t $1_vmware_file_t:file manage_file_perms;
- allow $1_vmware_t $1_vmware_file_t:lnk_file create_lnk_perms;
+ manage_files_pattern($1_vmware_t,$1_vmware_file_t,$1_vmware_file_t)
+ manage_lnk_files_pattern($1_vmware_t,$1_vmware_file_t,$1_vmware_file_t)
- allow $1_vmware_t $1_vmware_tmp_t:dir manage_dir_perms;
- allow $1_vmware_t $1_vmware_tmp_t:file { manage_file_perms execute };
- allow $1_vmware_t $1_vmware_tmp_t:sock_file manage_file_perms;
+ allow $1_vmware_t $1_vmware_tmp_t:file execute;
+ manage_dirs_pattern($1_vmware_t,$1_vmware_tmp_t,$1_vmware_tmp_t)
+ manage_files_pattern($1_vmware_t,$1_vmware_tmp_t,$1_vmware_tmp_t)
+ manage_sock_files_pattern($1_vmware_t,$1_vmware_tmp_t,$1_vmware_tmp_t)
files_tmp_filetrans($1_vmware_t, $1_vmware_tmp_t, { file dir })
- allow $1_vmware_t $1_vmware_tmpfs_t:dir rw_dir_perms;
- allow $1_vmware_t $1_vmware_tmpfs_t:file manage_file_perms;
- allow $1_vmware_t $1_vmware_tmpfs_t:lnk_file create_lnk_perms;
- allow $1_vmware_t $1_vmware_tmpfs_t:sock_file manage_file_perms;
- allow $1_vmware_t $1_vmware_tmpfs_t:fifo_file manage_file_perms;
+ manage_files_pattern($1_vmware_t,$1_vmware_tmpfs_t,$1_vmware_tmpfs_t)
+ manage_lnk_files_pattern($1_vmware_t,$1_vmware_tmpfs_t,$1_vmware_tmpfs_t)
+ manage_fifo_files_pattern($1_vmware_t,$1_vmware_tmpfs_t,$1_vmware_tmpfs_t)
+ manage_sock_files_pattern($1_vmware_t,$1_vmware_tmpfs_t,$1_vmware_tmpfs_t)
fs_tmpfs_filetrans($1_vmware_t,$1_vmware_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
# Read clobal configuration files
- allow $1_vmware_t vmware_sys_conf_t:dir r_dir_perms;
- allow $1_vmware_t vmware_sys_conf_t:file r_file_perms;
- allow $1_vmware_t vmware_sys_conf_t:lnk_file { getattr read };
+ allow $1_vmware_t vmware_sys_conf_t:dir list_dir_perms;
+ read_files_pattern($1_vmware_t,vmware_sys_conf_t,vmware_sys_conf_t)
+ read_lnk_files_pattern($1_vmware_t,vmware_sys_conf_t,vmware_sys_conf_t)
- allow $1_vmware_t $1_vmware_var_run_t:file manage_file_perms;
- allow $1_vmware_t $1_vmware_var_run_t:sock_file manage_file_perms;
- allow $1_vmware_t $1_vmware_var_run_t:lnk_file create_lnk_perms;
- allow $1_vmware_t $1_vmware_var_run_t:dir manage_dir_perms;
+ manage_dirs_pattern($1_vmware_t,$1_vmware_var_run_t,$1_vmware_var_run_t)
+ manage_files_pattern($1_vmware_t,$1_vmware_var_run_t,$1_vmware_var_run_t)
+ manage_lnk_files_pattern($1_vmware_t,$1_vmware_var_run_t,$1_vmware_var_run_t)
+ manage_sock_files_pattern($1_vmware_t,$1_vmware_var_run_t,$1_vmware_var_run_t)
files_pid_filetrans($1_vmware_t,$1_vmware_var_run_t,{ dir file lnk_file })
+ domtrans_pattern($2, vmware_exec_t, $1_vmware_t)
+
kernel_read_system_state($1_vmware_t)
kernel_read_network_state($1_vmware_t)
kernel_read_kernel_sysctls($1_vmware_t)
diff --git a/policy/modules/apps/vmware.te b/policy/modules/apps/vmware.te
index e41d16c5..2fd59564 100644
--- a/policy/modules/apps/vmware.te
+++ b/policy/modules/apps/vmware.te
@@ -30,17 +30,15 @@ files_pid_file(vmware_var_run_t)
allow vmware_host_t self:capability { setuid net_raw };
dontaudit vmware_host_t self:capability sys_tty_config;
allow vmware_host_t self:process signal_perms;
-allow vmware_host_t self:fifo_file rw_file_perms;
+allow vmware_host_t self:fifo_file rw_fifo_file_perms;
allow vmware_host_t self:unix_stream_socket create_stream_socket_perms;
allow vmware_host_t self:rawip_socket create_socket_perms;
# cjp: the ro and rw files should be split up
-allow vmware_host_t vmware_sys_conf_t:dir rw_dir_perms;
-allow vmware_host_t vmware_sys_conf_t:file manage_file_perms;
+manage_files_pattern(vmware_host_t,vmware_sys_conf_t,vmware_sys_conf_t)
-allow vmware_host_t vmware_var_run_t:file manage_file_perms;
-allow vmware_host_t vmware_var_run_t:sock_file manage_file_perms;
-allow vmware_host_t vmware_var_run_t:dir rw_dir_perms;
+manage_files_pattern(vmware_host_t,vmware_var_run_t,vmware_var_run_t)
+manage_sock_files_pattern(vmware_host_t,vmware_var_run_t,vmware_var_run_t)
files_pid_filetrans(vmware_host_t,vmware_var_run_t,{ file sock_file })
kernel_read_kernel_sysctls(vmware_host_t)
diff --git a/policy/modules/apps/webalizer.if b/policy/modules/apps/webalizer.if
index b7549433..823dc07f 100644
--- a/policy/modules/apps/webalizer.if
+++ b/policy/modules/apps/webalizer.if
@@ -15,12 +15,7 @@ interface(`webalizer_domtrans',`
type webalizer_t, webalizer_exec_t;
')
- domain_auto_trans($1,webalizer_exec_t,webalizer_t)
-
- allow $1 webalizer_t:fd use;
- allow webalizer_t $1:fd use;
- allow webalizer_t $1:fifo_file rw_file_perms;
- allow webalizer_t $1:process sigchld;
+ domtrans_pattern($1,webalizer_exec_t,webalizer_t)
')
########################################
diff --git a/policy/modules/apps/webalizer.te b/policy/modules/apps/webalizer.te
index 4fd32636..ace13c27 100644
--- a/policy/modules/apps/webalizer.te
+++ b/policy/modules/apps/webalizer.te
@@ -5,6 +5,7 @@ policy_module(webalizer,1.3.0)
#
# Declarations
#
+
type webalizer_t;
type webalizer_exec_t;
domain_type(webalizer_t)
@@ -30,11 +31,12 @@ files_type(webalizer_write_t)
#
# Local policy
#
+
allow webalizer_t self:capability dac_override;
allow webalizer_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow webalizer_t self:fd use;
-allow webalizer_t self:fifo_file rw_file_perms;
-allow webalizer_t self:sock_file r_file_perms;
+allow webalizer_t self:fifo_file rw_fifo_file_perms;
+allow webalizer_t self:sock_file read_sock_file_perms;
allow webalizer_t self:shm create_shm_perms;
allow webalizer_t self:sem create_sem_perms;
allow webalizer_t self:msgq create_msgq_perms;
@@ -49,12 +51,11 @@ allow webalizer_t self:netlink_route_socket r_netlink_socket_perms;
allow webalizer_t webalizer_etc_t:file { getattr read };
-allow webalizer_t webalizer_tmp_t:dir create_dir_perms;
-allow webalizer_t webalizer_tmp_t:file create_file_perms;
+manage_dirs_pattern(webalizer_t,webalizer_tmp_t,webalizer_tmp_t)
+manage_files_pattern(webalizer_t,webalizer_tmp_t,webalizer_tmp_t)
files_tmp_filetrans(webalizer_t, webalizer_tmp_t, { file dir })
-allow webalizer_t webalizer_var_lib_t:file create_file_perms;
-allow webalizer_t webalizer_var_lib_t:dir rw_dir_perms;
+manage_files_pattern(webalizer_t,webalizer_var_lib_t,webalizer_var_lib_t)
files_var_lib_filetrans(webalizer_t,webalizer_var_lib_t,file)
kernel_read_kernel_sysctls(webalizer_t)
@@ -92,6 +93,10 @@ ifdef(`targeted_policy',`
term_use_unallocated_ttys(webalizer_t)
')
+optional_policy(`
+ cron_system_entry(webalizer_t,webalizer_exec_t)
+')
+
optional_policy(`
ftp_read_log(webalizer_t)
')
@@ -103,7 +108,3 @@ optional_policy(`
optional_policy(`
nscd_socket_use(webalizer_t)
')
-
-optional_policy(`
- cron_system_entry(webalizer_t,webalizer_exec_t)
-')
diff --git a/policy/modules/apps/wine.if b/policy/modules/apps/wine.if
index 00b468e8..84b362ad 100644
--- a/policy/modules/apps/wine.if
+++ b/policy/modules/apps/wine.if
@@ -16,10 +16,5 @@ interface(`wine_domtrans',`
')
corecmd_search_bin($1)
- domain_auto_trans($1, wine_exec_t, wine_t)
-
- allow $1 wine_t:fd use;
- allow wine_t $1:fd use;
- allow wine_t $1:fifo_file rw_file_perms;
- allow wine_t $1:process sigchld;
+ domtrans_pattern($1, wine_exec_t, wine_t)
')
diff --git a/policy/modules/apps/yam.if b/policy/modules/apps/yam.if
index 57e30ea3..cb13e774 100644
--- a/policy/modules/apps/yam.if
+++ b/policy/modules/apps/yam.if
@@ -16,12 +16,7 @@ interface(`yam_domtrans',`
')
corecmd_search_sbin($1)
- domain_auto_trans($1,yam_exec_t,yam_t)
-
- allow $1 yam_t:fd use;
- allow yam_t $1:fd use;
- allow yam_t $1:fifo_file rw_file_perms;
- allow yam_t $1:process sigchld;
+ domtrans_pattern($1,yam_exec_t,yam_t)
')
########################################
@@ -72,6 +67,6 @@ interface(`yam_read_content',`
')
allow $1 yam_content_t:dir list_dir_perms;
- allow $1 yam_content_t:file read_file_perms;
- allow $1 yam_content_t:lnk_file { getattr read };
+ read_files_pattern($1,yam_content_t,yam_content_t)
+ read_lnk_files_pattern($1,yam_content_t,yam_content_t)
')
diff --git a/policy/modules/apps/yam.te b/policy/modules/apps/yam.te
index 9181ebaf..bd82b0d1 100644
--- a/policy/modules/apps/yam.te
+++ b/policy/modules/apps/yam.te
@@ -29,7 +29,7 @@ allow yam_t self:capability { chown fowner fsetid dac_override };
allow yam_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow yam_t self:process execmem;
allow yam_t self:fd use;
-allow yam_t self:fifo_file rw_file_perms;
+allow yam_t self:fifo_file rw_fifo_file_perms;
allow yam_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow yam_t self:unix_dgram_socket { create_socket_perms sendto };
allow yam_t self:shm create_shm_perms;
@@ -39,15 +39,15 @@ allow yam_t self:msg { send receive };
allow yam_t self:tcp_socket create_socket_perms;
# Update the content being managed by yam.
-allow yam_t yam_content_t:dir create_dir_perms;
-allow yam_t yam_content_t:file create_file_perms;
-allow yam_t yam_content_t:lnk_file create_lnk_perms;
+manage_dirs_pattern(yam_t,yam_content_t,yam_content_t)
+manage_files_pattern(yam_t,yam_content_t,yam_content_t)
+manage_lnk_files_pattern(yam_t,yam_content_t,yam_content_t)
allow yam_t yam_etc_t:file { getattr read };
files_search_etc(yam_t)
-allow yam_t yam_tmp_t:dir create_dir_perms;
-allow yam_t yam_tmp_t:file create_file_perms;
+manage_files_pattern(yam_t,yam_tmp_t,yam_tmp_t)
+manage_dirs_pattern(yam_t,yam_tmp_t,yam_tmp_t)
files_tmp_filetrans(yam_t, yam_tmp_t, { file dir })
kernel_read_kernel_sysctls(yam_t)
diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if
index 338068de..6531489f 100644
--- a/policy/modules/kernel/corecommands.if
+++ b/policy/modules/kernel/corecommands.if
@@ -133,7 +133,7 @@ interface(`corecmd_search_bin',`
type bin_t;
')
- allow $1 bin_t:dir search_dir_perms;
+ search_dirs_pattern($1,bin_t,bin_t)
')
########################################
@@ -151,7 +151,7 @@ interface(`corecmd_list_bin',`
type bin_t;
')
- allow $1 bin_t:dir list_dir_perms;
+ list_dirs_pattern($1,bin_t,bin_t)
')
########################################
@@ -169,7 +169,7 @@ interface(`corecmd_getattr_bin_files',`
type bin_t;
')
- allow $1 bin_t:file getattr;
+ getattr_files_pattern($1,bin_t,bin_t)
')
########################################
@@ -187,8 +187,7 @@ interface(`corecmd_read_bin_files',`
type bin_t;
')
- allow $1 bin_t:dir search_dir_perms;
- allow $1 bin_t:file read_file_perms;
+ read_files_pattern($1,bin_t,bin_t)
')
########################################
@@ -206,8 +205,7 @@ interface(`corecmd_read_bin_symlinks',`
type bin_t;
')
- allow $1 bin_t:dir search_dir_perms;
- allow $1 bin_t:lnk_file read_file_perms;
+ read_lnk_files_pattern($1,bin_t,bin_t)
')
########################################
@@ -225,8 +223,7 @@ interface(`corecmd_read_bin_pipes',`
type bin_t;
')
- allow $1 bin_t:dir search_dir_perms;
- allow $1 bin_t:fifo_file read_file_perms;
+ read_fifo_files_pattern($1,bin_t,bin_t)
')
########################################
@@ -244,8 +241,7 @@ interface(`corecmd_read_bin_sockets',`
type bin_t;
')
- allow $1 bin_t:dir search_dir_perms;
- allow $1 bin_t:sock_file read_file_perms;
+ read_sock_files_pattern($1,bin_t,bin_t)
')
########################################
@@ -264,10 +260,9 @@ interface(`corecmd_exec_bin',`
type bin_t;
')
- allow $1 bin_t:dir list_dir_perms;
- allow $1 bin_t:lnk_file read_file_perms;
+ read_lnk_files_pattern($1,bin_t,bin_t)
+ list_dirs_pattern($1,bin_t,bin_t)
can_exec($1,bin_t)
-
')
########################################
@@ -285,8 +280,7 @@ interface(`corecmd_manage_bin_files',`
type bin_t;
')
- allow $1 bin_t:dir rw_dir_perms;
- allow $1 bin_t:file manage_file_perms;
+ manage_files_pattern($1,bin_t,bin_t)
')
########################################
@@ -304,8 +298,7 @@ interface(`corecmd_relabel_bin_files',`
type bin_t;
')
- allow $1 bin_t:dir search_dir_perms;
- allow $1 bin_t:file { relabelfrom relabelto };
+ relabel_files_pattern($1,bin_t,bin_t)
')
########################################
@@ -368,10 +361,8 @@ interface(`corecmd_bin_spec_domtrans',`
type bin_t;
')
- allow $1 bin_t:dir search_dir_perms;
- allow $1 bin_t:lnk_file { getattr read };
-
- domain_trans($1,bin_t,$2)
+ read_lnk_files_pattern($1,bin_t,bin_t)
+ domain_transition_pattern($1,bin_t,$2)
')
########################################
@@ -469,7 +460,7 @@ interface(`corecmd_list_sbin',`
type sbin_t;
')
- allow $1 sbin_t:dir list_dir_perms;
+ list_dirs_pattern($1,sbin_t,sbin_t)
')
########################################
@@ -487,7 +478,7 @@ interface(`corecmd_getattr_sbin_files',`
type sbin_t;
')
- allow $1 sbin_t:file getattr;
+ getattr_files_pattern($1,sbin_t,sbin_t)
')
########################################
@@ -524,8 +515,7 @@ interface(`corecmd_read_sbin_files',`
type sbin_t;
')
- allow $1 sbin_t:dir search_dir_perms;
- allow $1 sbin_t:file read_file_perms;
+ read_files_pattern($1,sbin_t,sbin_t)
')
########################################
@@ -543,8 +533,7 @@ interface(`corecmd_read_sbin_symlinks',`
type sbin_t;
')
- allow $1 sbin_t:dir search_dir_perms;
- allow $1 sbin_t:lnk_file read_file_perms;
+ read_lnk_files_pattern($1,sbin_t,sbin_t)
')
########################################
@@ -562,8 +551,7 @@ interface(`corecmd_read_sbin_pipes',`
type sbin_t;
')
- allow $1 sbin_t:dir search_dir_perms;
- allow $1 sbin_t:fifo_file read_file_perms;
+ read_fifo_files_pattern($1,sbin_t,sbin_t)
')
########################################
@@ -581,8 +569,7 @@ interface(`corecmd_read_sbin_sockets',`
type sbin_t;
')
- allow $1 sbin_t:dir search_dir_perms;
- allow $1 sbin_t:sock_file read_file_perms;
+ read_sock_files_pattern($1,sbin_t,sbin_t)
')
########################################
@@ -601,8 +588,8 @@ interface(`corecmd_exec_sbin',`
type sbin_t;
')
- allow $1 sbin_t:dir list_dir_perms;
- allow $1 sbin_t:lnk_file read_file_perms;
+ list_dirs_pattern($1,sbin_t,sbin_t)
+ read_lnk_files_pattern($1,sbin_t,sbin_t)
can_exec($1,sbin_t)
')
@@ -622,8 +609,7 @@ interface(`corecmd_manage_sbin_files',`
type sbin_t;
')
- allow $1 sbin_t:dir rw_dir_perms;
- allow $1 sbin_t:file manage_file_perms;
+ manage_files_pattern($1,sbin_t,sbin_t)
')
########################################
@@ -642,8 +628,7 @@ interface(`corecmd_relabel_sbin_files',`
type sbin_t;
')
- allow $1 sbin_t:dir search_dir_perms;
- allow $1 sbin_t:file { relabelfrom relabelto };
+ relabel_files_pattern($1,sbin_t,sbin_t)
')
########################################
@@ -705,10 +690,8 @@ interface(`corecmd_sbin_domtrans',`
type sbin_t;
')
- allow $1 sbin_t:dir search_dir_perms;
- allow $1 sbin_t:lnk_file { getattr read };
-
- domain_auto_trans($1,sbin_t,$2)
+ read_lnk_files_pattern($1,sbin_t,sbin_t)
+ domain_auto_transition_pattern($1,sbin_t,$2)
')
########################################
@@ -752,10 +735,8 @@ interface(`corecmd_sbin_spec_domtrans',`
type sbin_t;
')
- allow $1 sbin_t:dir search_dir_perms;
- allow $1 sbin_t:lnk_file { getattr read };
-
- domain_trans($1,sbin_t,$2)
+ read_lnk_files_pattern($1,sbin_t,sbin_t)
+ domain_transition_pattern($1,sbin_t,$2)
')
########################################
@@ -773,8 +754,8 @@ interface(`corecmd_check_exec_shell',`
type bin_t, shell_exec_t;
')
- allow $1 bin_t:dir list_dir_perms;
- allow $1 bin_t:lnk_file read_file_perms;
+ list_dirs_pattern($1,bin_t,bin_t)
+ read_lnk_files_pattern($1,bin_t,bin_t)
allow $1 shell_exec_t:file execute;
')
@@ -793,8 +774,8 @@ interface(`corecmd_exec_shell',`
type bin_t, shell_exec_t;
')
- allow $1 bin_t:dir list_dir_perms;
- allow $1 bin_t:lnk_file read_file_perms;
+ list_dirs_pattern($1,bin_t,bin_t)
+ read_lnk_files_pattern($1,bin_t,bin_t)
can_exec($1,shell_exec_t)
')
@@ -813,8 +794,8 @@ interface(`corecmd_exec_ls',`
type bin_t, ls_exec_t;
')
- allow $1 bin_t:dir list_dir_perms;
- allow $1 bin_t:lnk_file read_file_perms;
+ list_dirs_pattern($1,bin_t,bin_t)
+ read_lnk_files_pattern($1,bin_t,bin_t)
can_exec($1,ls_exec_t)
')
@@ -852,10 +833,9 @@ interface(`corecmd_shell_spec_domtrans',`
type bin_t, shell_exec_t;
')
- allow $1 bin_t:dir list_dir_perms;
- allow $1 bin_t:lnk_file read_file_perms;
-
- domain_trans($1,shell_exec_t,$2)
+ list_dirs_pattern($1,bin_t,bin_t)
+ read_lnk_files_pattern($1,bin_t,bin_t)
+ domain_transition_pattern($1,shell_exec_t,$2)
')
########################################
@@ -907,6 +887,7 @@ interface(`corecmd_exec_chroot',`
type chroot_exec_t;
')
+ read_lnk_files_pattern($1,bin_t,bin_t)
can_exec($1,chroot_exec_t)
allow $1 self:capability sys_chroot;
')
@@ -929,8 +910,8 @@ interface(`corecmd_exec_all_executables',`
')
can_exec($1,exec_type)
- allow $1 { bin_t sbin_t }:dir list_dir_perms;
- allow $1 { bin_t sbin_t }:lnk_file read_file_perms;
+ list_dirs_pattern($1,{ bin_t sbin_t },{ bin_t sbin_t })
+ read_lnk_files_pattern($1,{ bin_t sbin_t },{ bin_t sbin_t })
')
########################################
@@ -950,9 +931,8 @@ interface(`corecmd_manage_all_executables',`
type bin_t, sbin_t;
')
- allow $1 exec_type:file manage_file_perms;
- allow $1 { bin_t sbin_t }:dir rw_dir_perms;
- allow $1 { bin_t sbin_t }:lnk_file create_lnk_perms;
+ manage_files_pattern($1,{ bin_t sbin_t },exec_type)
+ manage_lnk_files_pattern($1,{ bin_t sbin_t },{ bin_t sbin_t })
')
########################################
@@ -971,7 +951,7 @@ interface(`corecmd_relabel_all_executables',`
attribute exec_type;
')
- allow $1 exec_type:file { relabelfrom relabelto };
+ allow $1 exec_type:file relabel_file_perms;
')
########################################
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index b19784e1..fc2e6c88 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -63,13 +63,13 @@ interface(`dev_relabel_all_dev_nodes',`
type device_t;
')
- allow $1 device_node:dir { getattr relabelfrom };
- allow $1 device_node:file { getattr relabelfrom };
- allow $1 device_node:lnk_file { getattr relabelfrom };
- allow $1 device_node:fifo_file { getattr relabelfrom };
- allow $1 device_node:sock_file { getattr relabelfrom };
- allow $1 { device_t device_node }:blk_file { getattr relabelfrom relabelto };
- allow $1 { device_t device_node }:chr_file { getattr relabelfrom relabelto };
+ relabelfrom_dirs_pattern($1,device_t,device_node)
+ relabelfrom_files_pattern($1,device_t,device_node)
+ relabelfrom_lnk_files_pattern($1,device_t,device_node)
+ relabelfrom_fifo_files_pattern($1,device_t,device_node)
+ relabelfrom_sock_files_pattern($1,device_t,device_node)
+ relabel_blk_files_pattern($1,device_t,{ device_t device_node })
+ relabel_chr_files_pattern($1,device_t,{ device_t device_node })
')
########################################
@@ -87,8 +87,9 @@ interface(`dev_list_all_dev_nodes',`
type device_t;
')
- allow $1 device_t:dir r_dir_perms;
- allow $1 device_t:lnk_file { getattr read };
+
+ list_dirs_pattern($1,device_t,device_t)
+ read_lnk_files_pattern($1,device_t,device_t)
')
########################################
@@ -106,7 +107,7 @@ interface(`dev_setattr_generic_dirs',`
type device_t;
')
- allow $1 device_t:dir setattr;
+ setattr_dirs_pattern($1,device_t,device_t)
')
########################################
@@ -124,7 +125,25 @@ interface(`dev_dontaudit_list_all_dev_nodes',`
type device_t;
')
- dontaudit $1 device_t:dir r_dir_perms;
+ dontaudit $1 device_t:dir list_dir_perms;
+')
+
+########################################
+##
+## Add entries to directories in /dev.
+##
+##
+##
+## Domain allowed to add entries.
+##
+##
+#
+interface(`dev_add_entry_generic_dirs',`
+ gen_require(`
+ type device_t;
+ ')
+
+ allow $1 device_t:dir add_entry_dir_perms;
')
########################################
@@ -143,6 +162,7 @@ interface(`dev_create_generic_dirs',`
')
allow $1 device_t:dir { ra_dir_perms create };
+ create_dirs_pattern($1,device_t,device_t)
')
########################################
@@ -160,7 +180,7 @@ interface(`dev_delete_generic_dirs',`
type device_t;
')
- allow $1 device_t:dir { del_entry_dir_perms rmdir };
+ delete_dirs_pattern($1,device_t,device_t)
')
########################################
@@ -178,7 +198,7 @@ interface(`dev_relabel_generic_dev_dirs',`
type device_t;
')
- allow $1 device_t:dir { r_dir_perms relabelfrom relabelto };
+ relabel_dirs_pattern($1,device_t,device_t)
')
########################################
@@ -214,8 +234,7 @@ interface(`dev_rw_generic_files',`
type device_t;
')
- allow $1 device_t:dir search;
- allow $1 device_t:file rw_file_perms;
+ rw_files_pattern($1,device_t,device_t)
')
########################################
@@ -233,8 +252,7 @@ interface(`dev_delete_generic_files',`
type device_t;
')
- allow $1 device_t:dir { search write remove_name };
- allow $1 device_t:file unlink;
+ delete_files_pattern($1,device_t,device_t)
')
########################################
@@ -252,8 +270,7 @@ interface(`dev_manage_generic_files',`
type device_t;
')
- allow $1 device_t:dir rw_dir_perms;
- allow $1 device_t:file manage_file_perms;
+ manage_files_pattern($1,device_t,device_t)
')
########################################
@@ -289,8 +306,7 @@ interface(`dev_getattr_generic_blk_files',`
type device_t;
')
- allow $1 device_t:dir r_dir_perms;
- allow $1 device_t:blk_file getattr;
+ getattr_blk_files_pattern($1,device_t,device_t)
')
########################################
@@ -344,10 +360,7 @@ interface(`dev_create_generic_chr_files',`
type device_t;
')
- allow $1 device_t:dir ra_dir_perms;
- allow $1 device_t:chr_file create;
-
- allow $1 self:capability mknod;
+ create_chr_files_pattern($1,device_t,device_t)
')
########################################
@@ -365,8 +378,7 @@ interface(`dev_getattr_generic_chr_files',`
type device_t;
')
- allow $1 device_t:dir r_dir_perms;
- allow $1 device_t:chr_file getattr;
+ getattr_chr_files_pattern($1,device_t,device_t)
')
########################################
@@ -439,8 +451,7 @@ interface(`dev_create_generic_symlinks',`
type device_t;
')
- allow $1 device_t:dir add_entry_dir_perms;
- allow $1 device_t:lnk_file create;
+ create_lnk_files_pattern($1,device_t,device_t)
')
########################################
@@ -458,8 +469,7 @@ interface(`dev_delete_generic_symlinks',`
type device_t;
')
- allow $1 device_t:dir del_entry_dir_perms;
- allow $1 device_t:lnk_file unlink;
+ delete_lnk_files_pattern($1,device_t,device_t)
')
########################################
@@ -477,8 +487,7 @@ interface(`dev_manage_generic_symlinks',`
type device_t;
')
- allow $1 device_t:dir rw_dir_perms;
- allow $1 device_t:lnk_file create_lnk_perms;
+ manage_lnk_files_pattern($1,device_t,device_t)
')
########################################
@@ -496,8 +505,7 @@ interface(`dev_relabel_generic_symlinks',`
type device_t;
')
- allow $1 device_t:dir r_dir_perms;
- allow $1 device_t:lnk_file { relabelfrom relabelto };
+ relabel_lnk_files_pattern($1,device_t,device_t)
')
########################################
@@ -516,11 +524,14 @@ interface(`dev_manage_all_dev_nodes',`
type device_t;
')
- allow $1 device_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto };
- allow $1 device_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
- allow $1 device_t:lnk_file { create read getattr setattr link unlink rename };
- allow $1 device_t:{ chr_file blk_file } { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto };
- allow $1 device_node:{ chr_file blk_file } { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto };
+ manage_dirs_pattern($1,device_t,device_t)
+ manage_sock_files_pattern($1,device_t,device_t)
+ manage_lnk_files_pattern($1,device_t,device_t)
+ manage_chr_files_pattern($1,device_t,{ device_t device_node })
+ manage_blk_files_pattern($1,device_t,{ device_t device_node })
+ relabel_dirs_pattern($1,device_t,device_t)
+ relabel_chr_files_pattern($1,device_t,{ device_t device_node })
+ relabel_blk_files_pattern($1,device_t,{ device_t device_node })
# these next rules are to satisfy assertions broken by the above lines.
# the permissions hopefully can be cut back a lot
@@ -566,9 +577,7 @@ interface(`dev_manage_generic_blk_files',`
type device_t;
')
- allow $1 device_t:dir rw_dir_perms;
- allow $1 device_t:blk_file create_file_perms;
- allow $1 self:capability mknod;
+ manage_blk_files_pattern($1,device_t,device_t)
')
########################################
@@ -586,9 +595,7 @@ interface(`dev_manage_generic_chr_files',`
type device_t;
')
- allow $1 device_t:dir rw_dir_perms;
- allow $1 device_t:chr_file create_file_perms;
- allow $1 self:capability mknod;
+ manage_chr_files_pattern($1,device_t,device_t)
')
########################################
@@ -618,8 +625,7 @@ interface(`dev_filetrans',`
type device_t;
')
- allow $1 device_t:dir rw_dir_perms;
- type_transition $1 device_t:$3 $2;
+ filetrans_pattern($1,device_t,$2,$3)
fs_associate_tmpfs($2)
files_associate_tmp($2)
@@ -639,9 +645,10 @@ interface(`dev_filetrans',`
interface(`dev_getattr_all_blk_files',`
gen_require(`
attribute device_node;
+ type device_t;
')
- allow $1 device_node:blk_file getattr;
+ getattr_blk_files_pattern($1,device_t,device_node)
')
########################################
@@ -678,7 +685,7 @@ interface(`dev_getattr_all_chr_files',`
attribute device_node;
')
- allow $1 device_node:chr_file getattr;
+ getattr_chr_files_pattern($1,device_t,device_node)
')
########################################
@@ -715,8 +722,7 @@ interface(`dev_setattr_all_blk_files',`
attribute device_node;
')
- allow $1 device_t:dir r_dir_perms;
- allow $1 device_node:blk_file setattr;
+ setattr_blk_files_pattern($1,device_t,device_node)
')
########################################
@@ -735,8 +741,7 @@ interface(`dev_setattr_all_chr_files',`
attribute device_node;
')
- allow $1 device_t:dir r_dir_perms;
- allow $1 device_node:chr_file setattr;
+ setattr_chr_files_pattern($1,device_t,device_node)
')
########################################
@@ -790,9 +795,7 @@ interface(`dev_create_all_blk_files',`
attribute device_node;
')
- allow $1 self:capability mknod;
- allow $1 device_t:dir add_entry_dir_perms;
- allow $1 device_node:blk_file create;
+ create_blk_files_pattern($1,device_t,device_node)
')
########################################
@@ -810,9 +813,7 @@ interface(`dev_create_all_chr_files',`
attribute device_node;
')
- allow $1 self:capability mknod;
- allow $1 device_t:dir add_entry_dir_perms;
- allow $1 device_node:chr_file create;
+ create_chr_files_pattern($1,device_t,device_node)
')
########################################
@@ -830,8 +831,7 @@ interface(`dev_delete_all_blk_files',`
attribute device_node;
')
- allow $1 device_t:dir del_entry_dir_perms;
- allow $1 device_node:blk_file delete_file_perms;
+ delete_blk_files_pattern($1,device_t,device_node)
')
########################################
@@ -849,8 +849,7 @@ interface(`dev_delete_all_chr_files',`
attribute device_node;
')
- allow $1 device_t:dir del_entry_dir_perms;
- allow $1 device_node:chr_file delete_file_perms;
+ delete_chr_files_pattern($1,device_t,device_node)
')
########################################
@@ -868,8 +867,7 @@ interface(`dev_rename_all_blk_files',`
attribute device_node;
')
- allow $1 device_t:dir rw_dir_perms;
- allow $1 device_node:blk_file rename;
+ rename_blk_files_pattern($1,device_t,device_node)
')
########################################
@@ -887,8 +885,7 @@ interface(`dev_rename_all_chr_files',`
attribute device_node;
')
- allow $1 device_t:dir rw_dir_perms;
- allow $1 device_node:chr_file rename;
+ rename_chr_files_pattern($1,device_t,device_node)
')
########################################
@@ -906,8 +903,7 @@ interface(`dev_manage_all_blk_files',`
attribute device_node;
')
- allow $1 device_t:dir rw_dir_perms;
- allow $1 device_node:blk_file create_file_perms;
+ manage_blk_files_pattern($1,device_t,device_node)
# these next rules are to satisfy assertions broken by the above lines.
storage_raw_read_fixed_disk($1)
@@ -931,8 +927,7 @@ interface(`dev_manage_all_chr_files',`
attribute device_node, memory_raw_read, memory_raw_write;
')
- allow $1 device_t:dir rw_dir_perms;
- allow $1 device_node:chr_file create_file_perms;
+ manage_chr_files_pattern($1,device_t,device_node)
typeattribute $1 memory_raw_read, memory_raw_write;
')
@@ -952,8 +947,7 @@ interface(`dev_getattr_agp_dev',`
type device_t, agp_device_t;
')
- allow $1 device_t:dir r_dir_perms;
- allow $1 agp_device_t:chr_file getattr;
+ getattr_chr_files_pattern($1,device_t,agp_device_t)
')
########################################
@@ -971,8 +965,7 @@ interface(`dev_rw_agp',`
type device_t, agp_device_t;
')
- allow $1 device_t:dir r_dir_perms;
- allow $1 agp_device_t:chr_file rw_file_perms;
+ rw_chr_files_pattern($1,device_t,agp_device_t)
')
########################################
@@ -990,8 +983,7 @@ interface(`dev_getattr_apm_bios_dev',`
type device_t, apm_bios_t;
')
- allow $1 device_t:dir r_dir_perms;
- allow $1 apm_bios_t:chr_file getattr;
+ getattr_chr_files_pattern($1,device_t,apm_bios_t)
')
########################################
@@ -1028,8 +1020,7 @@ interface(`dev_setattr_apm_bios_dev',`
type device_t, apm_bios_t;
')
- allow $1 device_t:dir r_dir_perms;
- allow $1 apm_bios_t:chr_file setattr;
+ setattr_chr_files_pattern($1,device_t,apm_bios_t)
')
########################################
@@ -1066,8 +1057,7 @@ interface(`dev_rw_apm_bios',`
type device_t, apm_bios_t;
')
- allow $1 device_t:dir r_dir_perms;
- allow $1 apm_bios_t:chr_file rw_file_perms;
+ rw_chr_files_pattern($1,device_t,apm_bios_t)
')
########################################
@@ -1085,8 +1075,7 @@ interface(`dev_rw_cardmgr',`
type cardmgr_dev_t;
')
- allow $1 device_t:dir r_dir_perms;
- allow $1 cardmgr_dev_t:chr_file { read write };
+ rw_chr_files_pattern($1,device_t,cardmgr_dev_t)
')
########################################
@@ -1124,8 +1113,8 @@ interface(`dev_manage_cardmgr_dev',`
type device_t, cardmgr_dev_t;
')
- allow $1 device_t:dir rw_dir_perms;
- allow $1 cardmgr_dev_t:{ chr_file blk_file } manage_file_perms;
+ manage_chr_files_pattern($1,device_t,cardmgr_dev_t)
+ manage_blk_files_pattern($1,device_t,cardmgr_dev_t)
')
########################################
@@ -1145,9 +1134,9 @@ interface(`dev_create_cardmgr_dev',`
type device_t, cardmgr_dev_t;
')
- allow $1 device_t:dir rw_dir_perms;
- allow $1 cardmgr_dev_t:{ chr_file blk_file } manage_file_perms;
- type_transition $1 device_t:{ chr_file blk_file } cardmgr_dev_t;
+ create_chr_files_pattern($1,device_t,cardmgr_dev_t)
+ create_blk_files_pattern($1,device_t,cardmgr_dev_t)
+ filetrans_pattern($1,device_t,cardmgr_dev_t,{ chr_file blk_file })
')
########################################
@@ -1166,8 +1155,7 @@ interface(`dev_getattr_cpu_dev',`
type device_t, cpu_device_t;
')
- allow $1 device_t:dir search;
- allow $1 cpu_device_t:chr_file getattr;
+ getattr_chr_files_pattern($1,device_t,cpu_device_t)
')
########################################
@@ -1185,8 +1173,7 @@ interface(`dev_read_cpuid',`
type device_t, cpu_device_t;
')
- allow $1 device_t:dir r_dir_perms;
- allow $1 cpu_device_t:chr_file r_file_perms;
+ read_chr_files_pattern($1,device_t,cpu_device_t)
')
########################################
@@ -1205,8 +1192,7 @@ interface(`dev_rw_cpu_microcode',`
type device_t, cpu_device_t;
')
- allow $1 device_t:dir r_dir_perms;
- allow $1 cpu_device_t:chr_file rw_file_perms;
+ rw_chr_files_pattern($1,device_t,cpu_device_t)
')
########################################
@@ -1224,8 +1210,7 @@ interface(`dev_rw_crypto',`
type device_t, crypt_device_t;
')
- allow $1 device_t:dir r_dir_perms;
- allow $1 crypt_device_t:chr_file rw_file_perms;
+ rw_chr_files_pattern($1,device_t,crypt_device_t)
')
########################################
@@ -1243,8 +1228,7 @@ interface(`dev_getattr_dri_dev',`
type device_t, dri_device_t;
')
- allow $1 device_t:dir r_dir_perms;
- allow $1 dri_device_t:chr_file getattr;
+ getattr_chr_files_pattern($1,device_t,dri_device_t)
')
########################################
@@ -1262,8 +1246,7 @@ interface(`dev_setattr_dri_dev',`
type device_t, dri_device_t;
')
- allow $1 device_t:dir r_dir_perms;
- allow $1 dri_device_t:chr_file setattr;
+ setattr_chr_files_pattern($1,device_t,dri_device_t)
')
########################################
@@ -1281,8 +1264,7 @@ interface(`dev_rw_dri',`
type device_t, dri_device_t;
')
- allow $1 device_t:dir r_dir_perms;
- allow $1 dri_device_t:chr_file rw_file_perms;
+ rw_chr_files_pattern($1,device_t,dri_device_t)
')
########################################
@@ -1318,9 +1300,8 @@ interface(`dev_manage_dri_dev',`
type device_t, dri_device_t;
')
- allow $1 device_t:dir rw_dir_perms;
- allow $1 dri_device_t:chr_file manage_file_perms;
- type_transition $1 device_t:chr_file dri_device_t;
+ manage_chr_files_pattern($1,device_t,dri_device_t)
+ filetrans_pattern($1,device_t,dri_device_t,chr_file)
')
########################################
@@ -1338,8 +1319,7 @@ interface(`dev_read_input',`
type device_t, event_device_t;
')
- allow $1 device_t:dir r_dir_perms;
- allow $1 event_device_t:chr_file r_file_perms;
+ read_chr_files_pattern($1,device_t,event_device_t)
')
########################################
@@ -1357,8 +1337,7 @@ interface(`dev_rw_input_dev',`
type device_t, event_device_t;
')
- allow $1 device_t:dir r_dir_perms;
- allow $1 event_device_t:chr_file rw_file_perms;
+ rw_chr_files_pattern($1,device_t,event_device_t)
')
########################################
@@ -1376,8 +1355,7 @@ interface(`dev_getattr_framebuffer_dev',`
type device_t, framebuf_device_t;
')
- allow $1 device_t:dir r_dir_perms;
- allow $1 framebuf_device_t:chr_file getattr;
+ getattr_chr_files_pattern($1,device_t,framebuf_device_t)
')
########################################
@@ -1395,8 +1373,7 @@ interface(`dev_setattr_framebuffer_dev',`
type device_t, framebuf_device_t;
')
- allow $1 device_t:dir r_dir_perms;
- allow $1 framebuf_device_t:chr_file setattr;
+ setattr_chr_files_pattern($1,device_t,framebuf_device_t)
')
########################################
@@ -1433,8 +1410,7 @@ interface(`dev_read_framebuffer',`
type framebuf_device_t;
')
- allow $1 device_t:dir r_dir_perms;
- allow $1 framebuf_device_t:chr_file r_file_perms;
+ read_chr_files_pattern($1,device_t,framebuf_device_t)
')
########################################
@@ -1470,8 +1446,7 @@ interface(`dev_write_framebuffer',`
type device_t, framebuf_device_t;
')
- allow $1 device_t:dir r_dir_perms;
- allow $1 framebuf_device_t:chr_file { getattr write ioctl };
+ write_chr_files_pattern($1,device_t,framebuf_device_t)
')
########################################
@@ -1489,8 +1464,7 @@ interface(`dev_rw_framebuffer',`
type device_t, framebuf_device_t;
')
- allow $1 device_t:dir r_dir_perms;
- allow $1 framebuf_device_t:chr_file rw_file_perms;
+ rw_chr_files_pattern($1,device_t,framebuf_device_t)
')
########################################
@@ -1508,8 +1482,7 @@ interface(`dev_read_lvm_control',`
type device_t, lvm_control_t;
')
- allow $1 device_t:dir r_dir_perms;
- allow $1 lvm_control_t:chr_file r_file_perms;
+ read_chr_files_pattern($1,device_t,lvm_control_t)
')
########################################
@@ -1527,8 +1500,7 @@ interface(`dev_rw_lvm_control',`
type device_t, lvm_control_t;
')
- allow $1 device_t:dir r_dir_perms;
- allow $1 lvm_control_t:chr_file rw_file_perms;
+ rw_chr_files_pattern($1,device_t,lvm_control_t)
')
########################################
@@ -1546,8 +1518,7 @@ interface(`dev_delete_lvm_control_dev',`
type device_t, lvm_control_t;
')
- allow $1 device_t:dir { getattr search read write remove_name };
- allow $1 lvm_control_t:chr_file unlink;
+ delete_chr_files_pattern($1,device_t,lvm_control_t)
')
########################################
@@ -1584,8 +1555,7 @@ interface(`dev_read_raw_memory',`
attribute memory_raw_read;
')
- allow $1 device_t:dir r_dir_perms;
- allow $1 memory_device_t:chr_file r_file_perms;
+ read_chr_files_pattern($1,device_t,memory_device_t)
allow $1 self:capability sys_rawio;
typeattribute $1 memory_raw_read;
@@ -1607,8 +1577,7 @@ interface(`dev_write_raw_memory',`
attribute memory_raw_write;
')
- allow $1 device_t:dir r_dir_perms;
- allow $1 memory_device_t:chr_file write;
+ write_chr_files_pattern($1,device_t,memory_device_t)
allow $1 self:capability sys_rawio;
typeattribute $1 memory_raw_write;
@@ -1667,8 +1636,7 @@ interface(`dev_getattr_misc_dev',`
type device_t, misc_device_t;
')
- allow $1 device_t:dir r_dir_perms;
- allow $1 misc_device_t:chr_file getattr;
+ getattr_chr_files_pattern($1,device_t,misc_device_t)
')
########################################
@@ -1705,8 +1673,7 @@ interface(`dev_setattr_misc_dev',`
type device_t, misc_device_t;
')
- allow $1 device_t:dir r_dir_perms;
- allow $1 misc_device_t:chr_file setattr;
+ setattr_chr_files_pattern($1,device_t,misc_device_t)
')
########################################
@@ -1743,8 +1710,7 @@ interface(`dev_read_misc',`
type device_t, misc_device_t;
')
- allow $1 device_t:dir r_dir_perms;
- allow $1 misc_device_t:chr_file r_file_perms;
+ read_chr_files_pattern($1,device_t,misc_device_t)
')
########################################
@@ -1762,8 +1728,7 @@ interface(`dev_write_misc',`
type device_t, misc_device_t;
')
- allow $1 device_t:dir r_dir_perms;
- allow $1 misc_device_t:chr_file { getattr write ioctl };
+ write_chr_files_pattern($1,device_t,misc_device_t)
')
########################################
@@ -1799,8 +1764,7 @@ interface(`dev_getattr_mouse_dev',`
type device_t, mouse_device_t;
')
- allow $1 device_t:dir r_dir_perms;
- allow $1 mouse_device_t:chr_file getattr;
+ getattr_chr_files_pattern($1,device_t,mouse_device_t)
')
########################################
@@ -1818,8 +1782,7 @@ interface(`dev_setattr_mouse_dev',`
type device_t, mouse_device_t;
')
- allow $1 device_t:dir r_dir_perms;
- allow $1 mouse_device_t:chr_file setattr;
+ setattr_chr_files_pattern($1,device_t,mouse_device_t)
')
########################################
@@ -1837,8 +1800,7 @@ interface(`dev_read_mouse',`
type device_t, mouse_device_t;
')
- allow $1 device_t:dir r_dir_perms;
- allow $1 mouse_device_t:chr_file r_file_perms;
+ read_chr_files_pattern($1,device_t,mouse_device_t)
')
########################################
@@ -1856,8 +1818,7 @@ interface(`dev_rw_mouse',`
type device_t, mouse_device_t;
')
- allow $1 device_t:dir r_dir_perms;
- allow $1 mouse_device_t:chr_file rw_file_perms;
+ rw_chr_files_pattern($1,device_t,mouse_device_t)
')
########################################
@@ -1876,8 +1837,8 @@ interface(`dev_getattr_mtrr_dev',`
type device_t, mtrr_device_t;
')
- allow $1 device_t:dir r_dir_perms;
- allow $1 mtrr_device_t:{ file chr_file } getattr;
+ getattr_files_pattern($1,device_t,mtrr_device_t)
+ getattr_chr_files_pattern($1,device_t,mtrr_device_t)
')
########################################
@@ -1953,8 +1914,8 @@ interface(`dev_rw_mtrr',`
type device_t, mtrr_device_t;
')
- allow $1 device_t:dir r_dir_perms;
- allow $1 mtrr_device_t:{ file chr_file } rw_file_perms;
+ rw_files_pattern($1,device_t,mtrr_device_t)
+ rw_chr_files_pattern($1,device_t,mtrr_device_t)
')
########################################
@@ -1972,8 +1933,7 @@ interface(`dev_rw_null',`
type device_t, null_device_t;
')
- allow $1 device_t:dir r_dir_perms;
- allow $1 null_device_t:chr_file rw_file_perms;
+ rw_chr_files_pattern($1,device_t,null_device_t)
')
########################################
@@ -1991,10 +1951,7 @@ interface(`dev_create_null_dev',`
type device_t, null_device_t;
')
- allow $1 device_t:dir add_entry_dir_perms;
- allow $1 null_device_t:chr_file create;
-
- allow $1 self:capability mknod;
+ create_chr_files_pattern($1,device_t,null_device_t)
')
########################################
@@ -2031,8 +1988,7 @@ interface(`dev_rw_nvram',`
type nvram_device_t;
')
- allow $1 device_t:dir search_dir_perms;
- allow $1 nvram_device_t:chr_file rw_file_perms;
+ rw_chr_files_pattern($1,device_t,nvram_device_t)
')
########################################
@@ -2050,8 +2006,7 @@ interface(`dev_getattr_printer_dev',`
type device_t, printer_device_t;
')
- allow $1 device_t:dir search_dir_perms;
- allow $1 printer_device_t:chr_file getattr;
+ getattr_chr_files_pattern($1,device_t,printer_device_t)
')
########################################
@@ -2069,8 +2024,7 @@ interface(`dev_setattr_printer_dev',`
type device_t, printer_device_t;
')
- allow $1 device_t:dir search_dir_perms;
- allow $1 printer_device_t:chr_file setattr;
+ setattr_chr_files_pattern($1,device_t,printer_device_t)
')
########################################
@@ -2089,8 +2043,7 @@ interface(`dev_append_printer',`
type device_t, printer_device_t;
')
- allow $1 device_t:dir search;
- allow $1 printer_device_t:chr_file { getattr append };
+ append_chr_files_pattern($1,device_t,printer_device_t)
')
########################################
@@ -2108,8 +2061,7 @@ interface(`dev_rw_printer',`
type device_t, printer_device_t;
')
- allow $1 device_t:dir search;
- allow $1 printer_device_t:chr_file rw_file_perms;
+ rw_chr_files_pattern($1,device_t,printer_device_t)
')
########################################
@@ -2128,8 +2080,7 @@ interface(`dev_read_rand',`
type device_t, random_device_t;
')
- allow $1 device_t:dir r_dir_perms;
- allow $1 random_device_t:chr_file r_file_perms;
+ read_chr_files_pattern($1,device_t,random_device_t)
')
########################################
@@ -2168,8 +2119,7 @@ interface(`dev_write_rand',`
type device_t, random_device_t;
')
- allow $1 device_t:dir r_dir_perms;
- allow $1 random_device_t:chr_file { getattr write ioctl };
+ write_chr_files_pattern($1,device_t,random_device_t)
')
########################################
@@ -2187,8 +2137,7 @@ interface(`dev_read_realtime_clock',`
type device_t, clock_device_t;
')
- allow $1 device_t:dir r_dir_perms;
- allow $1 clock_device_t:chr_file r_file_perms;
+ read_chr_files_pattern($1,device_t,clock_device_t)
')
########################################
@@ -2206,8 +2155,9 @@ interface(`dev_write_realtime_clock',`
type device_t, clock_device_t;
')
- allow $1 device_t:dir r_dir_perms;
- allow $1 clock_device_t:chr_file { setattr lock write append ioctl };
+ write_chr_files_pattern($1,device_t,clock_device_t)
+
+ allow $1 clock_device_t:chr_file setattr;
')
########################################
@@ -2240,8 +2190,7 @@ interface(`dev_getattr_scanner_dev',`
type device_t, scanner_device_t;
')
- allow $1 device_t:dir r_dir_perms;
- allow $1 scanner_device_t:chr_file getattr;
+ getattr_chr_files_pattern($1,device_t,scanner_device_t)
')
########################################
@@ -2278,8 +2227,7 @@ interface(`dev_setattr_scanner_dev',`
type device_t, scanner_device_t;
')
- allow $1 device_t:dir r_dir_perms;
- allow $1 scanner_device_t:chr_file setattr;
+ setattr_chr_files_pattern($1,device_t,scanner_device_t)
')
########################################
@@ -2316,8 +2264,7 @@ interface(`dev_rw_scanner',`
type device_t, scanner_device_t;
')
- allow $1 device_t:dir r_dir_perms;
- allow $1 scanner_device_t:chr_file rw_file_perms;
+ rw_chr_files_pattern($1,device_t,scanner_device_t)
')
########################################
@@ -2335,8 +2282,7 @@ interface(`dev_getattr_sound_dev',`
type device_t, sound_device_t;
')
- allow $1 device_t:dir r_dir_perms;
- allow $1 sound_device_t:chr_file getattr;
+ getattr_chr_files_pattern($1,device_t,sound_device_t)
')
########################################
@@ -2354,8 +2300,7 @@ interface(`dev_setattr_sound_dev',`
type device_t, sound_device_t;
')
- allow $1 device_t:dir r_dir_perms;
- allow $1 sound_device_t:chr_file setattr;
+ setattr_chr_files_pattern($1,device_t,sound_device_t)
')
########################################
@@ -2373,8 +2318,7 @@ interface(`dev_read_sound',`
type device_t, sound_device_t;
')
- allow $1 device_t:dir r_dir_perms;
- allow $1 sound_device_t:chr_file r_file_perms;
+ read_chr_files_pattern($1,device_t,sound_device_t)
')
########################################
@@ -2392,8 +2336,7 @@ interface(`dev_write_sound',`
type device_t, sound_device_t;
')
- allow $1 device_t:dir r_dir_perms;
- allow $1 sound_device_t:chr_file { getattr write ioctl };
+ write_chr_files_pattern($1,device_t,sound_device_t)
')
########################################
@@ -2411,8 +2354,7 @@ interface(`dev_read_sound_mixer',`
type device_t, sound_device_t;
')
- allow $1 device_t:dir r_dir_perms;
- allow $1 sound_device_t:chr_file { getattr read ioctl };
+ read_chr_files_pattern($1,device_t,sound_device_t)
')
########################################
@@ -2430,8 +2372,7 @@ interface(`dev_write_sound_mixer',`
type device_t, sound_device_t;
')
- allow $1 device_t:dir r_dir_perms;
- allow $1 sound_device_t:chr_file { getattr write ioctl };
+ write_chr_files_pattern($1,device_t,sound_device_t)
')
########################################
@@ -2449,8 +2390,7 @@ interface(`dev_getattr_power_mgmt_dev',`
type device_t, power_device_t;
')
- allow $1 device_t:dir r_dir_perms;
- allow $1 power_device_t:chr_file getattr;
+ getattr_chr_files_pattern($1,device_t,power_device_t)
')
########################################
@@ -2468,8 +2408,7 @@ interface(`dev_setattr_power_mgmt_dev',`
type device_t, power_device_t;
')
- allow $1 device_t:dir r_dir_perms;
- allow $1 power_device_t:chr_file setattr;
+ setattr_chr_files_pattern($1,device_t,power_device_t)
')
########################################
@@ -2487,8 +2426,7 @@ interface(`dev_rw_power_management',`
type device_t, power_device_t;
')
- allow $1 device_t:dir r_dir_perms;
- allow $1 power_device_t:chr_file rw_file_perms;
+ rw_chr_files_pattern($1,device_t,power_device_t)
')
########################################
@@ -2506,7 +2444,7 @@ interface(`dev_getattr_sysfs_dirs',`
type sysfs_t;
')
- allow $1 sysfs_t:dir getattr;
+ allow $1 sysfs_t:dir getattr_dir_perms;
')
########################################
@@ -2524,7 +2462,7 @@ interface(`dev_search_sysfs',`
type sysfs_t;
')
- allow $1 sysfs_t:dir search;
+ search_dirs_pattern($1,sysfs_t,sysfs_t)
')
########################################
@@ -2542,7 +2480,7 @@ interface(`dev_dontaudit_search_sysfs',`
type sysfs_t;
')
- dontaudit $1 sysfs_t:dir search;
+ dontaudit $1 sysfs_t:dir search_dir_perms;
')
########################################
@@ -2560,7 +2498,7 @@ interface(`dev_list_sysfs',`
type sysfs_t;
')
- allow $1 sysfs_t:dir r_dir_perms;
+ list_dirs_pattern($1,sysfs_t,sysfs_t)
')
########################################
@@ -2578,8 +2516,10 @@ interface(`dev_read_sysfs',`
type sysfs_t;
')
- allow $1 sysfs_t:dir r_dir_perms;
- allow $1 sysfs_t:{ file lnk_file } r_file_perms;
+ read_files_pattern($1,sysfs_t,sysfs_t)
+ read_lnk_files_pattern($1,sysfs_t,sysfs_t)
+
+ list_dirs_pattern($1,sysfs_t,sysfs_t)
')
########################################
@@ -2597,9 +2537,11 @@ interface(`dev_rw_sysfs',`
type sysfs_t;
')
- allow $1 sysfs_t:dir r_dir_perms;
- allow $1 sysfs_t:lnk_file r_file_perms;
- allow $1 sysfs_t:file rw_file_perms;
+
+ rw_files_pattern($1,sysfs_t,sysfs_t)
+ read_lnk_files_pattern($1,sysfs_t,sysfs_t)
+
+ list_dirs_pattern($1,sysfs_t,sysfs_t)
')
########################################
@@ -2617,8 +2559,7 @@ interface(`dev_read_urand',`
type device_t, urandom_device_t;
')
- allow $1 device_t:dir r_dir_perms;
- allow $1 urandom_device_t:chr_file r_file_perms;
+ read_chr_files_pattern($1,device_t,urandom_device_t)
')
########################################
@@ -2656,8 +2597,7 @@ interface(`dev_write_urand',`
type device_t, urandom_device_t;
')
- allow $1 device_t:dir r_dir_perms;
- allow $1 urandom_device_t:chr_file { getattr write ioctl };
+ write_chr_files_pattern($1,device_t,urandom_device_t)
')
########################################
@@ -2675,8 +2615,7 @@ interface(`dev_getattr_generic_usb_dev',`
type usb_device_t;
')
- allow $1 device_t:dir r_dir_perms;
- allow $1 usb_device_t:chr_file getattr;
+ getattr_chr_files_pattern($1,device_t,usb_device_t)
')
########################################
@@ -2694,8 +2633,7 @@ interface(`dev_setattr_generic_usb_dev',`
type usb_device_t;
')
- allow $1 device_t:dir r_dir_perms;
- allow $1 usb_device_t:chr_file setattr;
+ setattr_chr_files_pattern($1,device_t,usb_device_t)
')
########################################
@@ -2713,8 +2651,7 @@ interface(`dev_rw_generic_usb_dev',`
type usb_device_t;
')
- allow $1 device_t:dir r_dir_perms;
- allow $1 usb_device_t:chr_file rw_file_perms;
+ rw_chr_files_pattern($1,device_t,usb_device_t)
')
########################################
@@ -2768,7 +2705,7 @@ interface(`dev_getattr_usbfs_dirs',`
type usbfs_t;
')
- allow $1 usbfs_t:dir getattr;
+ allow $1 usbfs_t:dir getattr_dir_perms;
')
########################################
@@ -2787,7 +2724,7 @@ interface(`dev_dontaudit_getattr_usbfs_dirs',`
type usbfs_t;
')
- dontaudit $1 usbfs_t:dir getattr;
+ dontaudit $1 usbfs_t:dir getattr_dir_perms;
')
########################################
@@ -2805,7 +2742,7 @@ interface(`dev_search_usbfs',`
type usbfs_t;
')
- allow $1 usbfs_t:dir search;
+ search_dirs_pattern($1,usbfs_t,usbfs_t)
')
########################################
@@ -2823,9 +2760,10 @@ interface(`dev_list_usbfs',`
type usbfs_t;
')
- allow $1 usbfs_t:dir r_dir_perms;
- allow $1 usbfs_t:lnk_file r_file_perms;
- allow $1 usbfs_t:file getattr;
+ read_lnk_files_pattern($1,usbfs_t,usbfs_t)
+ getattr_files_pattern($1,usbfs_t,usbfs_t)
+
+ list_dirs_pattern($1,usbfs_t,usbfs_t)
')
########################################
@@ -2843,8 +2781,8 @@ interface(`dev_setattr_usbfs_files',`
type usbfs_t;
')
- allow $1 usbfs_t:dir r_dir_perms;
- allow $1 usbfs_t:file setattr;
+ setattr_files_pattern($1,usbfs_t,usbfs_t)
+ list_dirs_pattern($1,usbfs_t,usbfs_t)
')
########################################
@@ -2863,8 +2801,9 @@ interface(`dev_read_usbfs',`
type usbfs_t;
')
- allow $1 usbfs_t:dir r_dir_perms;
- allow $1 usbfs_t:{ file lnk_file } r_file_perms;
+ read_files_pattern($1,usbfs_t,usbfs_t)
+ read_lnk_files_pattern($1,usbfs_t,usbfs_t)
+ list_dirs_pattern($1,usbfs_t,usbfs_t)
')
########################################
@@ -2882,9 +2821,9 @@ interface(`dev_rw_usbfs',`
type usbfs_t;
')
- allow $1 usbfs_t:dir r_dir_perms;
- allow $1 usbfs_t:lnk_file r_file_perms;
- allow $1 usbfs_t:file rw_file_perms;
+ list_dirs_pattern($1,usbfs_t,usbfs_t)
+ rw_files_pattern($1,usbfs_t,usbfs_t)
+ read_lnk_files_pattern($1,usbfs_t,usbfs_t)
')
########################################
@@ -2902,8 +2841,7 @@ interface(`dev_getattr_video_dev',`
type device_t, v4l_device_t;
')
- allow $1 device_t:dir r_dir_perms;
- allow $1 v4l_device_t:chr_file getattr;
+ getattr_chr_files_pattern($1,device_t,v4l_device_t)
')
########################################
@@ -2940,8 +2878,7 @@ interface(`dev_setattr_video_dev',`
type device_t, v4l_device_t;
')
- allow $1 device_t:dir r_dir_perms;
- allow $1 v4l_device_t:chr_file setattr;
+ setattr_chr_files_pattern($1,device_t,v4l_device_t)
')
########################################
@@ -2978,9 +2915,7 @@ interface(`dev_read_video_dev',`
type device_t, v4l_device_t;
')
- allow $1 device_t:dir r_dir_perms;
- allow $1 device_t:lnk_file { getattr read };
- allow $1 v4l_device_t:chr_file r_file_perms;
+ read_chr_files_pattern($1,device_t,v4l_device_t)
')
########################################
@@ -2998,8 +2933,7 @@ interface(`dev_rw_vmware',`
type device_t, vmware_device_t;
')
- allow $1 device_t:dir list_dir_perms;
- allow $1 vmware_device_t:chr_file rw_file_perms;
+ rw_chr_files_pattern($1,device_t,vmware_device_t)
')
########################################
@@ -3017,8 +2951,8 @@ interface(`dev_rwx_vmware',`
type device_t, vmware_device_t;
')
- allow $1 device_t:dir list_dir_perms;
- allow $1 vmware_device_t:chr_file { rw_file_perms execute };
+ dev_rw_vmware($1)
+ allow $1 vmware_device_t:chr_file execute;
')
########################################
@@ -3036,8 +2970,7 @@ interface(`dev_write_watchdog',`
type device_t, watchdog_device_t;
')
- allow $1 device_t:dir list_dir_perms;
- allow $1 watchdog_device_t:chr_file { getattr write };
+ write_chr_files_pattern($1,device_t,watchdog_device_t)
')
########################################
@@ -3055,8 +2988,7 @@ interface(`dev_rw_xen',`
type device_t, xen_device_t;
')
- allow $1 device_t:dir r_dir_perms;
- allow $1 xen_device_t:chr_file rw_file_perms;
+ rw_chr_files_pattern($1,device_t,xen_device_t)
')
########################################
@@ -3074,8 +3006,7 @@ interface(`dev_manage_xen',`
type device_t, xen_device_t;
')
- allow $1 device_t:dir r_dir_perms;
- allow $1 xen_device_t:chr_file manage_file_perms;
+ manage_chr_files_pattern($1,device_t,xen_device_t)
')
########################################
@@ -3094,8 +3025,7 @@ interface(`dev_filetrans_xen',`
type device_t, xen_device_t;
')
- allow $1 device_t:dir rw_dir_perms;
- type_transition $1 device_t:chr_file xen_device_t;
+ filetrans_pattern($1,device_t,xen_device_t,chr_file)
')
########################################
@@ -3113,8 +3043,7 @@ interface(`dev_getattr_xserver_misc_dev',`
type device_t, xserver_misc_device_t;
')
- allow $1 device_t:dir r_dir_perms;
- allow $1 xserver_misc_device_t:chr_file getattr;
+ getattr_chr_files_pattern($1,device_t,xserver_misc_device_t)
')
########################################
@@ -3132,8 +3061,7 @@ interface(`dev_setattr_xserver_misc_dev',`
type device_t, xserver_misc_device_t;
')
- allow $1 device_t:dir r_dir_perms;
- allow $1 xserver_misc_device_t:chr_file setattr;
+ setattr_chr_files_pattern($1,device_t,xserver_misc_device_t)
')
########################################
@@ -3151,8 +3079,7 @@ interface(`dev_rw_xserver_misc',`
type device_t, xserver_misc_device_t;
')
- allow $1 device_t:dir r_dir_perms;
- allow $1 xserver_misc_device_t:chr_file rw_file_perms;
+ rw_chr_files_pattern($1,device_t,xserver_misc_device_t)
')
########################################
@@ -3170,8 +3097,7 @@ interface(`dev_rw_zero',`
type device_t, zero_device_t;
')
- allow $1 device_t:dir r_dir_perms;
- allow $1 zero_device_t:chr_file rw_file_perms;
+ rw_chr_files_pattern($1,device_t,zero_device_t)
')
########################################
@@ -3227,10 +3153,7 @@ interface(`dev_create_zero_dev',`
type device_t, zero_device_t;
')
- allow $1 device_t:dir add_entry_dir_perms;
- allow $1 zero_device_t:chr_file create;
-
- allow $1 self:capability mknod;
+ create_chr_files_pattern($1,device_t,zero_device_t)
')
########################################
diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
index d1b30879..b2557fd2 100644
--- a/policy/modules/kernel/domain.if
+++ b/policy/modules/kernel/domain.if
@@ -562,9 +562,9 @@ interface(`domain_read_all_domains_state',`
')
kernel_search_proc($1)
- allow $1 domain:dir r_dir_perms;
- allow $1 domain:lnk_file r_file_perms;
- allow $1 domain:file r_file_perms;
+ allow $1 domain:dir list_dir_perms;
+ read_files_pattern($1,domain,domain)
+ read_lnk_files_pattern($1,domain,domain)
')
########################################
@@ -621,11 +621,11 @@ interface(`domain_read_confined_domains_state',`
')
kernel_search_proc($1)
- allow $1 { domain -unconfined_domain_type }:dir r_dir_perms;
- allow $1 { domain -unconfined_domain_type }:lnk_file r_file_perms;
- allow $1 { domain -unconfined_domain_type }:file r_file_perms;
+ allow $1 { domain -unconfined_domain_type }:dir list_dir_perms;
+ read_files_pattern($1,{ domain -unconfined_domain_type },{ domain -unconfined_domain_type })
+ read_lnk_files_pattern($1,{ domain -unconfined_domain_type },{ domain -unconfined_domain_type })
- dontaudit $1 unconfined_domain_type:dir search;
+ dontaudit $1 unconfined_domain_type:dir search_dir_perms;
dontaudit $1 unconfined_domain_type:file { getattr read };
')
@@ -740,13 +740,13 @@ interface(`domain_dontaudit_read_all_domains_state',`
attribute domain;
')
- dontaudit $1 domain:dir r_dir_perms;
- dontaudit $1 domain:lnk_file r_file_perms;
- dontaudit $1 domain:file r_file_perms;
+ dontaudit $1 domain:dir list_dir_perms;
+ dontaudit $1 domain:lnk_file read_file_perms;
+ dontaudit $1 domain:file read_file_perms;
# cjp: these should be removed:
- dontaudit $1 domain:sock_file r_file_perms;
- dontaudit $1 domain:fifo_file r_file_perms;
+ dontaudit $1 domain:sock_file read_file_perms;
+ dontaudit $1 domain:fifo_file read_file_perms;
')
########################################
@@ -765,7 +765,7 @@ interface(`domain_dontaudit_list_all_domains_state',`
attribute domain;
')
- dontaudit $1 domain:dir r_dir_perms;
+ dontaudit $1 domain:dir list_dir_perms;
')
########################################
@@ -1069,8 +1069,8 @@ interface(`domain_getattr_all_entry_files',`
attribute entry_type;
')
- allow $1 entry_type:lnk_file getattr;
- allow $1 entry_type:file r_file_perms;
+ allow $1 entry_type:lnk_file read_lnk_file_perms;
+ allow $1 entry_type:file getattr;
')
########################################
@@ -1088,8 +1088,8 @@ interface(`domain_read_all_entry_files',`
attribute entry_type;
')
- allow $1 entry_type:lnk_file r_file_perms;
- allow $1 entry_type:file r_file_perms;
+ allow $1 entry_type:lnk_file read_lnk_file_perms;
+ allow $1 entry_type:file read_file_perms;
')
########################################
@@ -1149,7 +1149,7 @@ interface(`domain_relabel_all_entry_files',`
attribute entry_type;
')
- allow $1 entry_type:file { relabelfrom relabelto };
+ allow $1 entry_type:file relabel_file_perms;
')
########################################
@@ -1168,7 +1168,7 @@ interface(`domain_mmap_all_entry_files',`
attribute entry_type;
')
- allow $1 entry_type:file { getattr read execute };
+ allow $1 entry_type:file mmap_file_perms;
')
########################################
@@ -1187,7 +1187,7 @@ interface(`domain_entry_file_spec_domtrans',`
attribute entry_type;
')
- domain_trans($1,entry_type,$2)
+ domain_transition_pattern($1,entry_type,$2)
')
########################################
@@ -1217,62 +1217,3 @@ interface(`domain_unconfined',`
typeattribute $1 can_change_object_identity;
typeattribute $1 set_curr_context;
')
-
-#
-# These next macros are not templates, but actually are
-# support macros. Due to the domain_ prefix, they
-# are placed in this module, to try to prevent confusion.
-# They are called templates since regular m4 defines
-# wont work here.
-#
-
-########################################
-##
-## Specified domain transition requiring setexeccon.
-##
-##
-##
-## Domain to transition from.
-##
-##
-##
-##
-## Type of program to execute.
-##
-##
-##
-##
-## Domain to transition to.
-##
-##
-#
-template(`domain_trans',`
- allow $1 $2:file { getattr read execute };
- allow $1 $3:process transition;
- dontaudit $1 $3:process { noatsecure siginh rlimitinh };
-')
-
-########################################
-##
-## Automatic domain transition by type_transition.
-##
-##
-##
-## Domain to transition from.
-##
-##
-##
-##
-## Type of program to execute.
-##
-##
-##
-##
-## Domain to transition to.
-##
-##
-#
-template(`domain_auto_trans',`
- domain_trans($1,$2,$3)
- type_transition $1 $2:process $3;
-')
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index c5527ec5..5e78a96f 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -284,15 +284,12 @@ interface(`files_tmpfs_file',`
##
##
#
-# cjp: this is an odd interface, because to getattr
-# all dirs, you need to search all the parent directories
-#
interface(`files_getattr_all_dirs',`
gen_require(`
attribute file_type;
')
- allow $1 file_type:dir { getattr search };
+ getattr_dirs_pattern($1,file_type,file_type)
')
########################################
@@ -329,7 +326,7 @@ interface(`files_list_non_security',`
attribute file_type, security_file_type;
')
- allow $1 { file_type -security_file_type }:dir r_dir_perms;
+ list_dirs_pattern($1,{ file_type -security_file_type },{ file_type -security_file_type })
')
########################################
@@ -348,7 +345,7 @@ interface(`files_dontaudit_list_non_security',`
attribute file_type, security_file_type;
')
- dontaudit $1 { file_type -security_file_type }:dir r_dir_perms;
+ dontaudit $1 { file_type -security_file_type }:dir list_dir_perms;
')
########################################
@@ -404,9 +401,8 @@ interface(`files_getattr_all_files',`
attribute file_type;
')
- allow $1 file_type:dir search;
- allow $1 file_type:file getattr;
- allow $1 file_type:lnk_file getattr;
+ getattr_files_pattern($1,file_type,file_type)
+ getattr_lnk_files_pattern($1,file_type,file_type)
')
########################################
@@ -463,7 +459,7 @@ interface(`files_read_all_files',`
')
allow $1 file_type:dir list_dir_perms;
- allow $1 file_type:file read_file_perms;
+ read_files_pattern($1,file_type,file_type)
optional_policy(`
auth_read_shadow($1)
@@ -517,9 +513,8 @@ interface(`files_read_non_security_files',`
attribute file_type, security_file_type;
')
- allow $1 { file_type -security_file_type }:dir search_dir_perms;
- allow $1 { file_type -security_file_type }:file r_file_perms;
- allow $1 { file_type -security_file_type }:lnk_file { getattr read };
+ read_files_pattern($1,{ file_type -security_file_type },{ file_type -security_file_type })
+ read_lnk_files_pattern($1,{ file_type -security_file_type },{ file_type -security_file_type })
')
########################################
@@ -544,7 +539,7 @@ interface(`files_read_all_dirs_except',`
attribute file_type;
')
- allow $1 { file_type $2 }:dir r_dir_perms;
+ allow $1 { file_type $2 }:dir list_dir_perms;
')
########################################
@@ -569,9 +564,7 @@ interface(`files_read_all_files_except',`
attribute file_type;
')
- allow $1 { file_type $2 }:dir search;
- allow $1 { file_type $2 }:file r_file_perms;
-
+ read_files_pattern($1,{ file_type $2 },{ file_type $2 })
')
########################################
@@ -596,9 +589,7 @@ interface(`files_read_all_symlinks_except',`
attribute file_type;
')
- allow $1 { file_type $2 }:dir search;
- allow $1 { file_type $2 }:lnk_file r_file_perms;
-
+ read_lnk_files_pattern($1,{ file_type $2 },{ file_type $2 })
')
########################################
@@ -616,8 +607,7 @@ interface(`files_getattr_all_symlinks',`
attribute file_type;
')
- allow $1 file_type:dir search;
- allow $1 file_type:lnk_file getattr;
+ getattr_lnk_files_pattern($1,file_type,file_type)
')
########################################
@@ -731,7 +721,7 @@ interface(`files_read_all_symlinks',`
')
allow $1 file_type:dir list_dir_perms;
- allow $1 file_type:lnk_file { getattr read };
+ read_lnk_files_pattern($1,file_type,file_type)
')
########################################
@@ -750,7 +740,7 @@ interface(`files_getattr_all_pipes',`
')
allow $1 file_type:dir list_dir_perms;
- allow $1 file_type:fifo_file getattr;
+ getattr_fifo_files_pattern($1,file_type,file_type)
')
########################################
@@ -807,7 +797,7 @@ interface(`files_getattr_all_sockets',`
')
allow $1 file_type:dir list_dir_perms;
- allow $1 file_type:sock_file getattr;
+ getattr_sock_files_pattern($1,file_type,file_type)
')
########################################
@@ -863,8 +853,7 @@ interface(`files_read_all_blk_files',`
attribute file_type;
')
- allow $1 file_type:dir search;
- allow $1 file_type:blk_file { getattr read };
+ read_blk_files_pattern($1,file_type,file_type)
')
########################################
@@ -882,8 +871,7 @@ interface(`files_read_all_chr_files',`
attribute file_type;
')
- allow $1 file_type:dir search;
- allow $1 file_type:chr_file { getattr read };
+ read_chr_files_pattern($1,file_type,file_type)
')
########################################
@@ -909,13 +897,14 @@ interface(`files_relabel_all_files',`
attribute file_type;
')
- allow $1 { file_type $2 }:dir { r_dir_perms relabelfrom relabelto };
- allow $1 { file_type $2 }:file { getattr relabelfrom relabelto };
- allow $1 { file_type $2 }:lnk_file { getattr relabelfrom relabelto };
- allow $1 { file_type $2 }:fifo_file { getattr relabelfrom relabelto };
- allow $1 { file_type $2 }:sock_file { getattr relabelfrom relabelto };
- allow $1 { file_type $2 }:blk_file { getattr relabelfrom };
- allow $1 { file_type $2 }:chr_file { getattr relabelfrom };
+ allow $1 { file_type $2 }:dir list_dir_perms;
+ relabel_dirs_pattern($1,{ file_type $2 },{ file_type $2 })
+ relabel_files_pattern($1,{ file_type $2 },{ file_type $2 })
+ relabel_lnk_files_pattern($1,{ file_type $2 },{ file_type $2 })
+ relabel_fifo_files_pattern($1,{ file_type $2 },{ file_type $2 })
+ relabel_sock_files_pattern($1,{ file_type $2 },{ file_type $2 })
+ relabelfrom_blk_files_pattern($1,{ file_type $2 },{ file_type $2 })
+ relabelfrom_chr_files_pattern($1,{ file_type $2 },{ file_type $2 })
# satisfy the assertions:
seutil_relabelto_bin_policy($1)
@@ -944,11 +933,11 @@ interface(`files_manage_all_files',`
attribute file_type;
')
- allow $1 { file_type $2 }:dir create_dir_perms;
- allow $1 { file_type $2 }:file create_file_perms;
- allow $1 { file_type $2 }:lnk_file create_lnk_perms;
- allow $1 { file_type $2 }:fifo_file create_file_perms;
- allow $1 { file_type $2 }:sock_file create_file_perms;
+ manage_dirs_pattern($1,{ file_type $2 },{ file_type $2 })
+ manage_files_pattern($1,{ file_type $2 },{ file_type $2 })
+ manage_lnk_files_pattern($1,{ file_type $2 },{ file_type $2 })
+ manage_fifo_files_pattern($1,{ file_type $2 },{ file_type $2 })
+ manage_sock_files_pattern($1,{ file_type $2 },{ file_type $2 })
# satisfy the assertions:
seutil_create_bin_policy($1)
@@ -971,7 +960,7 @@ interface(`files_search_all',`
attribute file_type;
')
- allow $1 file_type:dir search;
+ allow $1 file_type:dir search_dir_perms;
')
########################################
@@ -990,7 +979,7 @@ interface(`files_list_all',`
attribute file_type;
')
- allow $1 file_type:dir r_dir_perms;
+ allow $1 file_type:dir list_dir_perms;
')
########################################
@@ -1119,7 +1108,7 @@ interface(`files_list_root',`
type root_t;
')
- allow $1 root_t:dir r_dir_perms;
+ allow $1 root_t:dir list_dir_perms;
allow $1 root_t:lnk_file r_file_perms;
')
@@ -1149,8 +1138,7 @@ interface(`files_root_filetrans',`
type root_t;
')
- allow $1 root_t:dir rw_dir_perms;
- type_transition $1 root_t:$3 $2;
+ filetrans_pattern($1,root_t,$2,$3)
')
########################################
@@ -1363,8 +1351,7 @@ interface(`files_boot_filetrans',`
type boot_t;
')
- allow $1 boot_t:dir rw_dir_perms;
- type_transition $1 boot_t:$3 $2;
+ filetrans_pattern($1,boot_t,$2,$3)
')
########################################
@@ -1384,8 +1371,7 @@ interface(`files_manage_boot_files',`
type boot_t;
')
- allow $1 boot_t:dir rw_dir_perms;
- allow $1 boot_t:file manage_file_perms;
+ manage_files_pattern($1,boot_t,boot_t)
')
########################################
@@ -1403,7 +1389,7 @@ interface(`files_relabelfrom_boot_files',`
type boot_t;
')
- allow $1 boot_t:file relabelfrom;
+ relabelfrom_files_pattern($1,boot_t,boot_t)
')
########################################
@@ -1422,8 +1408,8 @@ interface(`files_rw_boot_symlinks',`
type boot_t;
')
- allow $1 boot_t:dir r_dir_perms;
- allow $1 boot_t:lnk_file rw_file_perms;
+ allow $1 boot_t:dir list_dir_perms;
+ rw_lnk_files_pattern($1,boot_t,boot_t)
')
########################################
@@ -1442,8 +1428,7 @@ interface(`files_manage_boot_symlinks',`
type boot_t;
')
- allow $1 boot_t:dir rw_dir_perms;
- allow $1 boot_t:lnk_file manage_file_perms;
+ manage_lnk_files_pattern($1,boot_t,boot_t)
')
########################################
@@ -1457,13 +1442,13 @@ interface(`files_manage_boot_symlinks',`
##
#
interface(`files_read_kernel_img',`
- gen_require(`
- type boot_t;
- ')
+ gen_require(`
+ type boot_t;
+ ')
- allow $1 boot_t:dir list_dir_perms;
- allow $1 boot_t:file { getattr read };
- allow $1 boot_t:lnk_file { getattr read };
+ allow $1 boot_t:dir list_dir_perms;
+ read_files_pattern($1,boot_t,boot_t)
+ read_lnk_files_pattern($1,boot_t,boot_t)
')
########################################
@@ -1482,9 +1467,8 @@ interface(`files_create_kernel_img',`
type boot_t;
')
- allow $1 boot_t:dir ra_dir_perms;
allow $1 boot_t:file { getattr read write create };
- allow $1 boot_t:lnk_file { getattr read create unlink };
+ manage_lnk_files_pattern($1,boot_t,boot_t)
')
########################################
@@ -1503,8 +1487,7 @@ interface(`files_delete_kernel',`
type boot_t;
')
- allow $1 boot_t:dir { r_dir_perms write remove_name };
- allow $1 boot_t:file { getattr unlink };
+ delete_files_pattern($1,boot_t,boot_t)
')
########################################
@@ -1559,7 +1542,7 @@ interface(`files_search_default',`
type default_t;
')
- allow $1 default_t:dir search;
+ allow $1 default_t:dir search_dir_perms;
')
########################################
@@ -1577,7 +1560,7 @@ interface(`files_list_default',`
type default_t;
')
- allow $1 default_t:dir r_dir_perms;
+ allow $1 default_t:dir list_dir_perms;
')
########################################
@@ -1596,7 +1579,7 @@ interface(`files_dontaudit_list_default',`
type default_t;
')
- dontaudit $1 default_t:dir r_dir_perms;
+ dontaudit $1 default_t:dir list_dir_perms;
')
########################################
@@ -1651,7 +1634,7 @@ interface(`files_read_default_files',`
type default_t;
')
- allow $1 default_t:file r_file_perms;
+ allow $1 default_t:file read_file_perms;
')
########################################
@@ -1670,7 +1653,7 @@ interface(`files_dontaudit_read_default_files',`
type default_t;
')
- dontaudit $1 default_t:file r_file_perms;
+ dontaudit $1 default_t:file read_file_perms;
')
########################################
@@ -1688,7 +1671,7 @@ interface(`files_read_default_symlinks',`
type default_t;
')
- allow $1 default_t:lnk_file r_file_perms;
+ allow $1 default_t:lnk_file read_lnk_file_perms;
')
########################################
@@ -1706,7 +1689,7 @@ interface(`files_read_default_sockets',`
type default_t;
')
- allow $1 default_t:sock_file r_file_perms;
+ allow $1 default_t:sock_file read_sock_file_perms;
')
########################################
@@ -1724,7 +1707,7 @@ interface(`files_read_default_pipes',`
type default_t;
')
- allow $1 default_t:fifo_file r_file_perms;
+ allow $1 default_t:fifo_file read_fifo_file_perms;
')
########################################
@@ -1742,7 +1725,7 @@ interface(`files_search_etc',`
type etc_t;
')
- allow $1 etc_t:dir search;
+ allow $1 etc_t:dir search_dir_perms;
')
########################################
@@ -1778,7 +1761,7 @@ interface(`files_list_etc',`
type etc_t;
')
- allow $1 etc_t:dir r_dir_perms;
+ allow $1 etc_t:dir list_dir_perms;
')
########################################
@@ -1814,9 +1797,9 @@ interface(`files_read_etc_files',`
type etc_t;
')
- allow $1 etc_t:dir r_dir_perms;
- allow $1 etc_t:file r_file_perms;
- allow $1 etc_t:lnk_file r_file_perms;
+ allow $1 etc_t:dir list_dir_perms;
+ read_files_pattern($1,etc_t,etc_t)
+ read_lnk_files_pattern($1,etc_t,etc_t)
')
########################################
@@ -1853,9 +1836,9 @@ interface(`files_rw_etc_files',`
type etc_t;
')
- allow $1 etc_t:dir r_dir_perms;
- allow $1 etc_t:file rw_file_perms;
- allow $1 etc_t:lnk_file r_file_perms;
+ allow $1 etc_t:dir list_dir_perms;
+ rw_files_pattern($1,etc_t,etc_t)
+ read_lnk_files_pattern($1,etc_t,etc_t)
')
########################################
@@ -1875,9 +1858,8 @@ interface(`files_manage_etc_files',`
type etc_t;
')
- allow $1 etc_t:dir rw_dir_perms;
- allow $1 etc_t:file create_file_perms;
- allow $1 etc_t:lnk_file r_file_perms;
+ manage_files_pattern($1,etc_t,etc_t)
+ read_lnk_files_pattern($1,etc_t,etc_t)
')
########################################
@@ -1895,8 +1877,7 @@ interface(`files_delete_etc_files',`
type etc_t;
')
- allow $1 etc_t:dir rw_dir_perms;
- allow $1 etc_t:file unlink;
+ delete_files_pattern($1,etc_t,etc_t)
')
########################################
@@ -1914,10 +1895,9 @@ interface(`files_exec_etc_files',`
type etc_t;
')
- allow $1 etc_t:dir r_dir_perms;
- allow $1 etc_t:lnk_file r_file_perms;
- can_exec($1,etc_t)
-
+ allow $1 etc_t:dir list_dir_perms;
+ read_lnk_files_pattern($1,etc_t,etc_t)
+ exec_files_pattern($1,etc_t,etc_t)
')
#######################################
@@ -1936,7 +1916,7 @@ interface(`files_relabel_etc_files',`
')
allow $1 etc_t:dir list_dir_perms;
- allow $1 etc_t:file { relabelfrom relabelto };
+ relabel_files_pattern($1,etc_t,etc_t)
')
########################################
@@ -1954,8 +1934,7 @@ interface(`files_read_etc_symlinks',`
type etc_t;
')
- allow $1 etc_t:dir search_dir_perms;
- allow $1 etc_t:lnk_file { getattr read };
+ read_lnk_files_pattern($1,etc_t,etc_t)
')
########################################
@@ -1984,8 +1963,7 @@ interface(`files_etc_filetrans',`
type etc_t;
')
- allow $1 etc_t:dir rw_dir_perms;
- type_transition $1 etc_t:$3 $2;
+ filetrans_pattern($1,etc_t,$2,$3)
')
########################################
@@ -2010,9 +1988,8 @@ interface(`files_create_boot_flag',`
type root_t, etc_runtime_t;
')
- allow $1 root_t:dir rw_dir_perms;
- allow $1 etc_runtime_t:file { create read write setattr unlink };
- type_transition $1 root_t:file etc_runtime_t;
+ allow $1 etc_runtime_t:file manage_file_perms;
+ filetrans_pattern($1,root_t,etc_runtime_t,file)
')
########################################
@@ -2032,9 +2009,9 @@ interface(`files_read_etc_runtime_files',`
type etc_t, etc_runtime_t;
')
- allow $1 etc_t:dir r_dir_perms;
- allow $1 etc_runtime_t:file r_file_perms;
- allow $1 etc_runtime_t:lnk_file { getattr read };
+ allow $1 etc_t:dir list_dir_perms;
+ read_files_pattern($1,etc_t,etc_runtime_t)
+ read_lnk_files_pattern($1,etc_t,etc_runtime_t)
')
########################################
@@ -2074,8 +2051,8 @@ interface(`files_rw_etc_runtime_files',`
type etc_t, etc_runtime_t;
')
- allow $1 etc_t:dir r_dir_perms;
- allow $1 etc_runtime_t:file rw_file_perms;
+ allow $1 etc_t:dir list_dir_perms;
+ rw_files_pattern($1,etc_t,etc_runtime_t)
')
########################################
@@ -2096,9 +2073,7 @@ interface(`files_manage_etc_runtime_files',`
type etc_t, etc_runtime_t;
')
- allow $1 etc_t:dir rw_dir_perms;
- allow $1 etc_runtime_t:dir rw_dir_perms;
- allow $1 etc_runtime_t:file manage_file_perms;
+ manage_files_pattern($1,{ etc_t etc_runtime_t },etc_runtime_t)
')
########################################
@@ -2122,8 +2097,7 @@ interface(`files_etc_filetrans_etc_runtime',`
type etc_t, etc_runtime_t;
')
- allow $1 etc_t:dir rw_dir_perms;
- type_transition $1 etc_t:$2 etc_runtime_t;
+ filetrans_pattern($1,etc_t,etc_runtime_t,$2)
')
########################################
@@ -2180,7 +2154,7 @@ interface(`files_list_isid_type_dirs',`
type file_t;
')
- allow $1 file_t:dir r_dir_perms;
+ allow $1 file_t:dir list_dir_perms;
')
########################################
@@ -2218,7 +2192,7 @@ interface(`files_manage_isid_type_dirs',`
type file_t;
')
- allow $1 file_t:dir create_dir_perms;
+ allow $1 file_t:dir manage_dir_perms;
')
########################################
@@ -2237,7 +2211,7 @@ interface(`files_mounton_isid_type_dirs',`
type file_t;
')
- allow $1 file_t:dir { getattr search mounton };
+ allow $1 file_t:dir { search_dir_perms mounton };
')
########################################
@@ -2256,8 +2230,7 @@ interface(`files_read_isid_type_files',`
type file_t;
')
- allow $1 file_t:dir search;
- allow $1 file_t:file r_file_perms;
+ allow $1 file_t:file read_file_perms;
')
########################################
@@ -2276,8 +2249,7 @@ interface(`files_manage_isid_type_files',`
type file_t;
')
- allow $1 file_t:dir rw_dir_perms;
- allow $1 file_t:file create_file_perms;
+ allow $1 file_t:file manage_file_perms;
')
########################################
@@ -2296,8 +2268,7 @@ interface(`files_manage_isid_type_symlinks',`
type file_t;
')
- allow $1 file_t:dir rw_dir_perms;
- allow $1 file_t:lnk_file create_lnk_perms;
+ allow $1 file_t:lnk_file manage_lnk_file_perms;
')
########################################
@@ -2316,8 +2287,7 @@ interface(`files_rw_isid_type_blk_files',`
type file_t;
')
- allow $1 file_t:dir search;
- allow $1 file_t:blk_file rw_file_perms;
+ allow $1 file_t:blk_file rw_blk_file_perms;
')
########################################
@@ -2336,8 +2306,7 @@ interface(`files_manage_isid_type_blk_files',`
type file_t;
')
- allow $1 file_t:dir rw_dir_perms;
- allow $1 file_t:blk_file create_file_perms;
+ allow $1 file_t:blk_file manage_blk_file_perms;
')
########################################
@@ -2356,8 +2325,7 @@ interface(`files_manage_isid_type_chr_files',`
type file_t;
')
- allow $1 file_t:dir rw_dir_perms;
- allow $1 file_t:chr_file create_file_perms;
+ allow $1 file_t:chr_file manage_chr_file_perms;
')
########################################
@@ -2452,7 +2420,7 @@ interface(`files_dontaudit_list_home',`
type home_root_t;
')
- dontaudit $1 home_root_t:dir r_dir_perms;
+ dontaudit $1 home_root_t:dir list_dir_perms;
')
########################################
@@ -2470,7 +2438,7 @@ interface(`files_list_home',`
type home_root_t;
')
- allow $1 home_root_t:dir r_dir_perms;
+ allow $1 home_root_t:dir list_dir_perms;
')
########################################
@@ -2498,8 +2466,7 @@ interface(`files_home_filetrans',`
type home_root_t;
')
- allow $1 home_root_t:dir rw_dir_perms;
- type_transition $1 home_root_t:$3 $2;
+ filetrans_pattern($1,home_root_t,$2,$3)
')
########################################
@@ -2537,11 +2504,11 @@ interface(`files_manage_lost_found',`
type lost_found_t;
')
- allow $1 lost_found_t:dir create_dir_perms;
- allow $1 lost_found_t:file create_file_perms;
- allow $1 lost_found_t:sock_file create_file_perms;
- allow $1 lost_found_t:fifo_file create_file_perms;
- allow $1 lost_found_t:lnk_file create_lnk_perms;
+ manage_dirs_pattern($1,lost_found_t,lost_found_t)
+ manage_files_pattern($1,lost_found_t,lost_found_t)
+ manage_lnk_files_pattern($1,lost_found_t,lost_found_t)
+ manage_fifo_files_pattern($1,lost_found_t,lost_found_t)
+ manage_sock_files_pattern($1,lost_found_t,lost_found_t)
')
########################################
@@ -2595,7 +2562,7 @@ interface(`files_list_mnt',`
type mnt_t;
')
- allow $1 mnt_t:dir r_dir_perms;
+ allow $1 mnt_t:dir list_dir_perms;
')
########################################
@@ -2613,7 +2580,7 @@ interface(`files_mounton_mnt',`
type mnt_t;
')
- allow $1 mnt_t:dir { search mounton };
+ allow $1 mnt_t:dir { search_dir_perms mounton };
')
########################################
@@ -2632,7 +2599,7 @@ interface(`files_manage_mnt_dirs',`
type mnt_t;
')
- allow $1 mnt_t:dir create_dir_perms;
+ allow $1 mnt_t:dir manage_dir_perms;
')
########################################
@@ -2650,8 +2617,7 @@ interface(`files_manage_mnt_files',`
type mnt_t;
')
- allow $1 mnt_t:dir rw_dir_perms;
- allow $1 mnt_t:file create_file_perms;
+ manage_files_pattern($1,mnt_t,mnt_t)
')
########################################
@@ -2669,8 +2635,7 @@ interface(`files_manage_mnt_symlinks',`
type mnt_t;
')
- allow $1 mnt_t:dir rw_dir_perms;
- allow $1 mnt_t:lnk_file create_lnk_perms;
+ manage_lnk_files_pattern($1,mnt_t,mnt_t)
')
########################################
@@ -2688,7 +2653,7 @@ interface(`files_search_kernel_modules',`
type modules_object_t;
')
- allow $1 modules_object_t:dir search;
+ allow $1 modules_object_t:dir search_dir_perms;
')
########################################
@@ -2706,7 +2671,7 @@ interface(`files_list_kernel_modules',`
type modules_object_t;
')
- allow $1 modules_object_t:dir r_dir_perms;
+ allow $1 modules_object_t:dir list_dir_perms;
')
########################################
@@ -2724,8 +2689,7 @@ interface(`files_getattr_kernel_modules',`
type modules_object_t;
')
- allow $1 modules_object_t:dir search;
- allow $1 modules_object_t:dir getattr;
+ getattr_files_pattern($1,modules_object_t,modules_object_t)
')
########################################
@@ -2743,9 +2707,9 @@ interface(`files_read_kernel_modules',`
type modules_object_t;
')
- allow $1 modules_object_t:dir r_dir_perms;
- allow $1 modules_object_t:lnk_file r_file_perms;
- allow $1 modules_object_t:file r_file_perms;
+ allow $1 modules_object_t:dir list_dir_perms;
+ read_files_pattern($1,modules_object_t,modules_object_t)
+ read_lnk_files_pattern($1,modules_object_t,modules_object_t)
')
########################################
@@ -2763,8 +2727,8 @@ interface(`files_write_kernel_modules',`
type modules_object_t;
')
- allow $1 modules_object_t:dir r_dir_perms;
- allow $1 modules_object_t:file { write append };
+ allow $1 modules_object_t:dir list_dir_perms;
+ write_files_pattern($1,modules_object_t,modules_object_t)
')
########################################
@@ -2782,8 +2746,7 @@ interface(`files_delete_kernel_modules',`
type modules_object_t;
')
- allow $1 modules_object_t:dir { list_dir_perms write remove_name };
- allow $1 modules_object_t:file unlink;
+ delete_files_pattern($1,modules_object_t,modules_object_t)
')
########################################
@@ -2803,8 +2766,7 @@ interface(`files_manage_kernel_modules',`
type modules_object_t;
')
- allow $1 modules_object_t:file { rw_file_perms create setattr unlink };
- allow $1 modules_object_t:dir rw_dir_perms;
+ manage_files_pattern($1,modules_object_t,modules_object_t)
')
########################################
@@ -2822,7 +2784,7 @@ interface(`files_relabel_kernel_modules',`
type modules_object_t;
')
- allow $1 modules_object_t:file { relabelfrom relabelto };
+ relabel_files_pattern($1,modules_object_t,modules_object_t)
allow $1 modules_object_t:dir list_dir_perms;
')
@@ -2852,8 +2814,7 @@ interface(`files_kernel_modules_filetrans',`
type modules_object_t;
')
- allow $1 modules_object_t:dir rw_dir_perms;
- type_transition $1 modules_object_t:$3 $2;
+ filetrans_pattern($1,modules_object_t,$2,$3)
')
########################################
@@ -2872,7 +2833,7 @@ interface(`files_list_world_readable',`
type readable_t;
')
- allow $1 readable_t:dir r_dir_perms;
+ allow $1 readable_t:dir list_dir_perms;
')
########################################
@@ -2891,7 +2852,7 @@ interface(`files_read_world_readable_files',`
type readable_t;
')
- allow $1 readable_t:file r_file_perms;
+ allow $1 readable_t:file read_file_perms;
')
########################################
@@ -2910,7 +2871,7 @@ interface(`files_read_world_readable_symlinks',`
type readable_t;
')
- allow $1 readable_t:lnk_file r_file_perms;
+ allow $1 readable_t:lnk_file read_lnk_file_perms;
')
########################################
@@ -2928,7 +2889,7 @@ interface(`files_read_world_readable_pipes',`
type readable_t;
')
- allow $1 readable_t:fifo_file r_file_perms;
+ allow $1 readable_t:fifo_file read_fifo_file_perms;
')
########################################
@@ -2946,7 +2907,7 @@ interface(`files_read_world_readable_sockets',`
type readable_t;
')
- allow $1 readable_t:sock_file r_file_perms;
+ allow $1 readable_t:sock_file read_sock_file_perms;
')
########################################
@@ -3075,7 +3036,7 @@ interface(`files_dontaudit_list_tmp',`
type tmp_t;
')
- dontaudit $1 tmp_t:dir { read getattr search };
+ dontaudit $1 tmp_t:dir list_dir_perms;
')
########################################
@@ -3093,8 +3054,7 @@ interface(`files_read_generic_tmp_files',`
type tmp_t;
')
- allow $1 tmp_t:dir search_dir_perms;
- allow $1 tmp_t:file r_file_perms;
+ read_files_pattern($1,tmp_t,tmp_t)
')
########################################
@@ -3112,8 +3072,7 @@ interface(`files_manage_generic_tmp_files',`
type tmp_t;
')
- allow $1 tmp_t:dir rw_dir_perms;
- allow $1 tmp_t:file manage_file_perms;
+ manage_files_pattern($1,tmp_t,tmp_t)
')
########################################
@@ -3131,8 +3090,7 @@ interface(`files_read_generic_tmp_symlinks',`
type tmp_t;
')
- allow $1 tmp_t:dir search_dir_perms;
- allow $1 tmp_t:lnk_file r_file_perms;
+ read_lnk_files_pattern($1,tmp_t,tmp_t)
')
########################################
@@ -3150,8 +3108,7 @@ interface(`files_rw_generic_tmp_sockets',`
type tmp_t;
')
- allow $1 tmp_t:dir search_dir_perms;
- allow $1 tmp_t:sock_file { read write };
+ rw_sock_files_pattern($1,tmp_t,tmp_t)
')
########################################
@@ -3169,7 +3126,7 @@ interface(`files_setattr_all_tmp_dirs',`
attribute tmpfile;
')
- allow $1 tmpfile:dir { search setattr };
+ allow $1 tmpfile:dir { search_dir_perms setattr };
')
########################################
@@ -3198,8 +3155,7 @@ interface(`files_tmp_filetrans',`
type tmp_t;
')
- allow $1 tmp_t:dir rw_dir_perms;
- type_transition $1 tmp_t:$3 $2;
+ filetrans_pattern($1,tmp_t,$2,$3)
')
########################################
@@ -3217,8 +3173,12 @@ interface(`files_purge_tmp',`
attribute tmpfile;
')
- allow $1 tmpfile:dir { rw_dir_perms rmdir };
- allow $1 tmpfile:notdevfile_class_set { getattr unlink };
+ allow $1 tmpfile:dir list_dir_perms;
+ delete_dirs_pattern($1,tmpfile,tmpfile)
+ delete_files_pattern($1,tmpfile,tmpfile)
+ delete_lnk_files_pattern($1,tmpfile,tmpfile)
+ delete_fifo_files_pattern($1,tmpfile,tmpfile)
+ delete_sock_files_pattern($1,tmpfile,tmpfile)
')
########################################
@@ -3236,7 +3196,7 @@ interface(`files_search_usr',`
type usr_t;
')
- allow $1 usr_t:dir search;
+ allow $1 usr_t:dir search_dir_perms;
')
########################################
@@ -3255,7 +3215,7 @@ interface(`files_list_usr',`
type usr_t;
')
- allow $1 usr_t:dir r_dir_perms;
+ allow $1 usr_t:dir list_dir_perms;
')
########################################
@@ -3273,8 +3233,7 @@ interface(`files_getattr_usr_files',`
type usr_t;
')
- allow $1 usr_t:dir search;
- allow $1 usr_t:file getattr;
+ getattr_files_pattern($1,usr_t,usr_t)
')
########################################
@@ -3292,8 +3251,9 @@ interface(`files_read_usr_files',`
type usr_t;
')
- allow $1 usr_t:dir r_dir_perms;
- allow $1 usr_t:{ file lnk_file } r_file_perms;
+ allow $1 usr_t:dir list_dir_perms;
+ read_files_pattern($1,usr_t,usr_t)
+ read_lnk_files_pattern($1,usr_t,usr_t)
')
########################################
@@ -3311,10 +3271,9 @@ interface(`files_exec_usr_files',`
type usr_t;
')
- allow $1 usr_t:dir r_dir_perms;
- allow $1 usr_t:lnk_file r_file_perms;
- can_exec($1,usr_t)
-
+ allow $1 usr_t:dir list_dir_perms;
+ exec_files_pattern($1,usr_t,usr_t)
+ read_lnk_files_pattern($1,usr_t,usr_t)
')
########################################
@@ -3332,7 +3291,7 @@ interface(`files_relabelto_usr_files',`
type usr_t;
')
- allow $1 usr_t:file relabelto;
+ relabelto_files_pattern($1,usr_t,usr_t)
')
########################################
@@ -3350,8 +3309,7 @@ interface(`files_read_usr_symlinks',`
type usr_t;
')
- allow $1 usr_t:dir search;
- allow $1 usr_t:lnk_file r_file_perms;
+ read_lnk_files_pattern($1,usr_t,usr_t)
')
########################################
@@ -3379,8 +3337,7 @@ interface(`files_usr_filetrans',`
type usr_t;
')
- allow $1 usr_t:dir rw_dir_perms;
- type_transition $1 usr_t:$3 $2;
+ filetrans_pattern($1,usr_t,$2,$3)
')
########################################
@@ -3398,7 +3355,7 @@ interface(`files_dontaudit_search_src',`
type src_t;
')
- dontaudit $1 src_t:dir search;
+ dontaudit $1 src_t:dir search_dir_perms;
')
########################################
@@ -3416,10 +3373,10 @@ interface(`files_getattr_usr_src_files',`
type usr_t, src_t;
')
- allow $1 { usr_t src_t }:dir search_dir_perms;
+ getattr_files_pattern($1,src_t,src_t)
- allow $1 src_t:lnk_file { getattr read };
- allow $1 src_t:file getattr;
+ # /usr/src/linux symlink:
+ read_lnk_files_pattern($1,usr_t,src_t)
')
########################################
@@ -3437,9 +3394,10 @@ interface(`files_read_usr_src_files',`
type usr_t, src_t;
')
- allow $1 usr_t:dir search;
- allow $1 src_t:dir r_dir_perms;
- allow $1 src_t:{ file lnk_file } r_file_perms;
+ allow $1 usr_t:dir search_dir_perms;
+ read_files_pattern($1,{ usr_t src_t },src_t)
+ read_lnk_files_pattern($1,{ usr_t src_t },src_t)
+ allow $1 src_t:dir list_dir_perms;
')
########################################
@@ -3457,10 +3415,9 @@ interface(`files_exec_usr_src_files',`
type usr_t, src_t;
')
- allow $1 usr_t:dir search;
- allow $1 src_t:dir r_dir_perms;
- allow $1 src_t:lnk_file r_file_perms;
- can_exec($1,src_t)
+ list_dirs_pattern($1,usr_t,src_t)
+ exec_files_pattern($1,src_t,src_t)
+ read_lnk_files_pattern($1,src_t,src_t)
')
########################################
@@ -3497,11 +3454,8 @@ interface(`files_read_kernel_symbol_table',`
type boot_t, system_map_t;
')
- allow $1 boot_t:dir r_dir_perms;
- allow $1 system_map_t:file r_file_perms;
-
- # cjp: this should be dropped:
- allow $1 boot_t:file { getattr read };
+ allow $1 boot_t:dir list_dir_perms;
+ read_files_pattern($1,boot_t,system_map_t)
')
########################################
@@ -3519,8 +3473,8 @@ interface(`files_delete_kernel_symbol_table',`
type boot_t, system_map_t;
')
- allow $1 boot_t:dir { r_dir_perms write remove_name };
- allow $1 system_map_t:file { getattr unlink };
+ allow $1 boot_t:dir list_dir_perms;
+ delete_files_pattern($1,boot_t,system_map_t)
')
########################################
@@ -3593,7 +3547,7 @@ interface(`files_list_var',`
type var_t;
')
- allow $1 var_t:dir r_dir_perms;
+ allow $1 var_t:dir list_dir_perms;
')
########################################
@@ -3612,7 +3566,7 @@ interface(`files_manage_var_dirs',`
type var_t;
')
- allow $1 var_t:dir create_dir_perms;
+ allow $1 var_t:dir manage_dir_perms;
')
########################################
@@ -3630,8 +3584,7 @@ interface(`files_read_var_files',`
type var_t;
')
- allow $1 var_t:dir search_dir_perms;
- allow $1 var_t:file r_file_perms;
+ read_files_pattern($1,var_t,var_t)
')
########################################
@@ -3649,8 +3602,7 @@ interface(`files_rw_var_files',`
type var_t;
')
- allow $1 var_t:dir rw_dir_perms;
- allow $1 var_t:file create_file_perms;
+ rw_files_pattern($1,var_t,var_t)
')
########################################
@@ -3668,8 +3620,7 @@ interface(`files_manage_var_files',`
type var_t;
')
- allow $1 var_t:dir rw_dir_perms;
- allow $1 var_t:file create_file_perms;
+ manage_files_pattern($1,var_t,var_t)
')
########################################
@@ -3687,8 +3638,7 @@ interface(`files_read_var_symlinks',`
type var_t;
')
- allow $1 var_t:dir search_dir_perms;
- allow $1 var_t:lnk_file { getattr read };
+ read_lnk_files_pattern($1,var_t,var_t)
')
########################################
@@ -3707,8 +3657,7 @@ interface(`files_manage_var_symlinks',`
type var_t;
')
- allow $1 var_t:dir rw_dir_perms;
- allow $1 var_t:lnk_file create_lnk_perms;
+ manage_lnk_files_pattern($1,var_t,var_t)
')
########################################
@@ -3736,8 +3685,7 @@ interface(`files_var_filetrans',`
type var_t;
')
- allow $1 var_t:dir rw_dir_perms;
- type_transition $1 var_t:$3 $2;
+ filetrans_pattern($1,var_t,$2,$3)
')
########################################
@@ -3755,8 +3703,7 @@ interface(`files_getattr_var_lib_dirs',`
type var_t, var_lib_t;
')
- allow $1 var_t:dir search_dir_perms;
- allow $1 var_lib_t:dir getattr;
+ getattr_dirs_pattern($1,var_t,var_lib_t)
')
########################################
@@ -3774,7 +3721,7 @@ interface(`files_search_var_lib',`
type var_t, var_lib_t;
')
- allow $1 { var_t var_lib_t }:dir search_dir_perms;
+ search_dirs_pattern($1,var_t,var_lib_t)
')
########################################
@@ -3792,8 +3739,7 @@ interface(`files_list_var_lib',`
type var_t, var_lib_t;
')
- allow $1 var_t:dir search_dir_perms;
- allow $1 var_lib_t:dir r_dir_perms;
+ list_dirs_pattern($1,var_t,var_lib_t)
')
########################################
@@ -3822,8 +3768,7 @@ interface(`files_var_lib_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
- allow $1 var_lib_t:dir rw_dir_perms;
- type_transition $1 var_lib_t:$3 $2;
+ filetrans_pattern($1,var_lib_t,$2,$3)
')
########################################
@@ -3841,8 +3786,7 @@ interface(`files_read_var_lib_files',`
type var_t, var_lib_t;
')
- allow $1 { var_t var_lib_t }:dir search_dir_perms;
- allow $1 var_lib_t:file r_file_perms;
+ read_files_pattern($1,{ var_t var_lib_t },var_lib_t)
')
########################################
@@ -3860,8 +3804,7 @@ interface(`files_read_var_lib_symlinks',`
type var_t, var_lib_t;
')
- allow $1 { var_t var_lib_t }:dir search_dir_perms;
- allow $1 var_lib_t:lnk_file { getattr read };
+ read_lnk_files_pattern($1,{ var_t var_lib_t },var_lib_t)
')
# cjp: the next two interfaces really need to be fixed
@@ -3884,8 +3827,7 @@ interface(`files_manage_urandom_seed',`
')
allow $1 var_t:dir search_dir_perms;
- allow $1 var_lib_t:dir rw_dir_perms;
- allow $1 var_lib_t:file manage_file_perms;
+ manage_files_pattern($1,var_lib_t,var_lib_t)
')
########################################
@@ -3905,8 +3847,7 @@ interface(`files_manage_mounttab',`
')
allow $1 var_t:dir search_dir_perms;
- allow $1 var_lib_t:dir rw_dir_perms;
- allow $1 var_lib_t:file manage_file_perms;
+ manage_files_pattern($1,var_lib_t,var_lib_t)
')
########################################
@@ -3924,7 +3865,7 @@ interface(`files_search_locks',`
type var_t, var_lock_t;
')
- allow $1 { var_t var_lock_t }:dir search_dir_perms;
+ search_dirs_pattern($1,var_t,var_lock_t)
')
########################################
@@ -3962,8 +3903,7 @@ interface(`files_rw_lock_dirs',`
type var_t, var_lock_t;
')
- allow $1 var_t:dir search_dir_perms;
- allow $1 var_lock_t:dir rw_dir_perms;
+ rw_dirs_pattern($1,var_t,var_lock_t)
')
########################################
@@ -3982,8 +3922,8 @@ interface(`files_getattr_generic_locks',`
')
allow $1 var_t:dir search_dir_perms;
- allow $1 var_lock_t:dir r_dir_perms;
- allow $1 var_lock_t:file getattr;
+ allow $1 var_lock_t:dir list_dir_perms;
+ getattr_files_pattern($1,var_lock_t,var_lock_t)
')
########################################
@@ -4002,8 +3942,8 @@ interface(`files_manage_generic_locks',`
type var_lock_t;
')
- allow $1 var_lock_t:dir rw_dir_perms;
- allow $1 var_lock_t:file manage_file_perms;
+ allow $1 var_t:dir search_dir_perms;
+ manage_files_pattern($1,var_lock_t,var_lock_t)
')
########################################
@@ -4022,8 +3962,8 @@ interface(`files_delete_all_locks',`
attribute lockfile;
')
- allow $1 lockfile:dir rw_dir_perms;
- allow $1 lockfile:file { getattr unlink };
+ allow $1 var_t:dir search_dir_perms;
+ delete_files_pattern($1,lockfile,lockfile)
')
########################################
@@ -4043,9 +3983,9 @@ interface(`files_read_all_locks',`
')
allow $1 { var_t var_lock_t }:dir search_dir_perms;
- allow $1 lockfile:dir r_dir_perms;
- allow $1 lockfile:file r_file_perms;
- allow $1 lockfile:lnk_file { getattr read };
+ allow $1 lockfile:dir list_dir_perms;
+ read_files_pattern($1,lockfile,lockfile)
+ read_lnk_files_pattern($1,lockfile,lockfile)
')
########################################
@@ -4074,9 +4014,8 @@ interface(`files_lock_filetrans',`
type var_t, var_lock_t;
')
- allow $1 var_t:dir search;
- allow $1 var_lock_t:dir rw_dir_perms;
- type_transition $1 var_lock_t:$3 $2;
+ allow $1 var_t:dir search_dir_perms;
+ filetrans_pattern($1,var_lock_t,$2,$3)
')
########################################
@@ -4114,8 +4053,7 @@ interface(`files_search_pids',`
type var_t, var_run_t;
')
- allow $1 var_t:dir search_dir_perms;
- allow $1 var_run_t:dir search_dir_perms;
+ search_dirs_pattern($1,var_t,var_run_t)
')
########################################
@@ -4153,8 +4091,7 @@ interface(`files_list_pids',`
type var_t, var_run_t;
')
- allow $1 var_t:dir search_dir_perms;
- allow $1 var_run_t:dir r_dir_perms;
+ list_dirs_pattern($1,var_t,var_run_t)
')
########################################
@@ -4184,8 +4121,7 @@ interface(`files_pid_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
- allow $1 var_run_t:dir rw_dir_perms;
- type_transition $1 var_run_t:$3 $2;
+ filetrans_pattern($1,var_run_t,$2,$3)
')
########################################
@@ -4203,9 +4139,8 @@ interface(`files_rw_generic_pids',`
type var_t, var_run_t;
')
- allow $1 var_t:dir search;
- allow $1 var_run_t:dir r_dir_perms;
- allow $1 var_run_t:file rw_file_perms;
+ list_dirs_pattern($1,var_t,var_run_t)
+ rw_files_pattern($1,var_run_t,var_run_t)
')
########################################
@@ -4261,9 +4196,8 @@ interface(`files_read_all_pids',`
type var_t;
')
- allow $1 var_t:dir search_dir_perms;
- allow $1 pidfile:dir r_dir_perms;
- allow $1 pidfile:file r_file_perms;
+ list_dirs_pattern($1,var_t,pidfile)
+ read_files_pattern($1,pidfile,pidfile)
')
########################################
@@ -4302,13 +4236,12 @@ interface(`files_delete_all_pids',`
type var_t, var_run_t;
')
- allow $1 var_t:dir search;
- allow $1 var_run_t:{ sock_file lnk_file } { getattr unlink };
+ allow $1 var_t:dir search_dir_perms;
allow $1 var_run_t:dir rmdir;
- allow $1 pidfile:dir rw_dir_perms;
- allow $1 pidfile:file { getattr unlink };
- allow $1 pidfile:sock_file { getattr unlink };
- allow $1 pidfile:fifo_file { getattr unlink };
+ allow $1 var_run_t:lnk_file delete_lnk_file_perms;
+ delete_files_pattern($1,pidfile,pidfile)
+ delete_fifo_files_pattern($1,pidfile,pidfile)
+ delete_sock_files_pattern($1,pidfile,{ pidfile var_run_t })
')
########################################
@@ -4327,8 +4260,8 @@ interface(`files_delete_all_pid_dirs',`
type var_t;
')
- allow $1 var_t:dir search;
- allow $1 pidfile:dir { rw_dir_perms rmdir };
+ allow $1 var_t:dir search_dir_perms;
+ delete_dirs_pattern($1,pidfile,pidfile)
')
########################################
@@ -4347,8 +4280,7 @@ interface(`files_search_spool',`
type var_t, var_spool_t;
')
- allow $1 var_t:dir search_dir_perms;
- allow $1 var_spool_t:dir search_dir_perms;
+ search_dirs_pattern($1,var_t,var_spool_t)
')
########################################
@@ -4386,8 +4318,7 @@ interface(`files_list_spool',`
type var_t, var_spool_t;
')
- allow $1 var_t:dir search;
- allow $1 var_spool_t:dir r_dir_perms;
+ list_dirs_pattern($1,var_t,var_spool_t)
')
########################################
@@ -4406,8 +4337,8 @@ interface(`files_manage_generic_spool_dirs',`
type var_t, var_spool_t;
')
- allow $1 var_t:dir search;
- allow $1 var_spool_t:dir create_dir_perms;
+ allow $1 var_t:dir search_dir_perms;
+ manage_dirs_pattern($1,var_spool_t,var_spool_t)
')
########################################
@@ -4425,9 +4356,8 @@ interface(`files_read_generic_spool',`
type var_t, var_spool_t;
')
- allow $1 var_t:dir search;
- allow $1 var_spool_t:dir r_dir_perms;
- allow $1 var_spool_t:file r_file_perms;
+ list_dirs_pattern($1,var_t,var_spool_t)
+ read_files_pattern($1,var_spool_t,var_spool_t)
')
########################################
@@ -4446,9 +4376,8 @@ interface(`files_manage_generic_spool',`
type var_t, var_spool_t;
')
- allow $1 var_t:dir search;
- allow $1 var_spool_t:dir rw_dir_perms;
- allow $1 var_spool_t:file create_file_perms;
+ allow $1 var_t:dir search_dir_perms;
+ manage_files_pattern($1,var_spool_t,var_spool_t)
')
########################################
@@ -4468,8 +4397,7 @@ interface(`files_spool_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
- allow $1 var_spool_t:dir rw_dir_perms;
- type_transition $1 var_spool_t:$3 $2;
+ filetrans_pattern($1,var_spool_t,$2,$3)
')
########################################
@@ -4549,31 +4477,5 @@ interface(`files_manage_non_security_dirs',`
attribute file_type, security_file_type;
')
- allow $1 { file_type -security_file_type }:dir create_dir_perms;
-')
-
-########################################
-##
-## Create a aliased type to etc_runtime_t files.
-##
-##
-##
-## Create a aliased type to etc runtime files.
-##
-##
-## This is added to remove types that should have been etc_runtime_t
-##
-##
-##
-##
-## Alias type for etc_runtime_t.
-##
-##
-#
-interface(`corecmd_etc_runtime_alias',`
- gen_require(`
- type etc_runtime_t;
- ')
-
- typealias etc_runtime_t alias $1;
+ allow $1 { file_type -security_file_type }:dir manage_dir_perms;
')
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 443433aa..3effc68f 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -360,7 +360,7 @@ interface(`fs_search_auto_mountpoints',`
type autofs_t;
')
- allow $1 autofs_t:dir { getattr search };
+ allow $1 autofs_t:dir search_dir_perms;
')
########################################
@@ -380,7 +380,7 @@ interface(`fs_list_auto_mountpoints',`
type autofs_t;
')
- allow $1 autofs_t:dir r_dir_perms;
+ allow $1 autofs_t:dir list_dir_perms;
')
########################################
@@ -399,7 +399,7 @@ interface(`fs_dontaudit_list_auto_mountpoints',`
type autofs_t;
')
- dontaudit $1 autofs_t:dir r_dir_perms;
+ dontaudit $1 autofs_t:dir list_dir_perms;
')
########################################
@@ -418,8 +418,7 @@ interface(`fs_manage_autofs_symlinks',`
type autofs_t;
')
- allow $1 autofs_t:dir rw_dir_perms;
- allow $1 autofs_t:lnk_file create_lnk_perms;
+ manage_lnk_files_pattern($1,autofs_t,autofs_t)
')
########################################
@@ -474,8 +473,7 @@ interface(`fs_register_binary_executable_type',`
type binfmt_misc_fs_t;
')
- allow $1 binfmt_misc_fs_t:dir { getattr search };
- allow $1 binfmt_misc_fs_t:file { getattr ioctl write read };
+ rw_files_pattern($1,binfmt_misc_fs_t,binfmt_misc_fs_t)
')
########################################
@@ -568,7 +566,7 @@ interface(`fs_search_cifs',`
type cifs_t;
')
- allow $1 cifs_t:dir search;
+ allow $1 cifs_t:dir search_dir_perms;
')
########################################
@@ -587,7 +585,7 @@ interface(`fs_list_cifs',`
type cifs_t;
')
- allow $1 cifs_t:dir r_dir_perms;
+ allow $1 cifs_t:dir list_dir_perms;
')
########################################
@@ -606,7 +604,7 @@ interface(`fs_dontaudit_list_cifs',`
type cifs_t;
')
- dontaudit $1 cifs_t:dir r_dir_perms;
+ dontaudit $1 cifs_t:dir list_dir_perms;
')
########################################
@@ -625,8 +623,8 @@ interface(`fs_read_cifs_files',`
type cifs_t;
')
- allow $1 cifs_t:dir r_dir_perms;
- allow $1 cifs_t:file r_file_perms;
+ allow $1 cifs_t:dir list_dir_perms;
+ read_files_pattern($1,cifs_t,cifs_t)
')
########################################
@@ -664,8 +662,7 @@ interface(`fs_list_noxattr_fs',`
attribute noxattrfs;
')
- allow $1 noxattrfs:dir r_dir_perms;
-
+ allow $1 noxattrfs:dir list_dir_perms;
')
########################################
@@ -701,9 +698,7 @@ interface(`fs_read_noxattr_fs_files',`
attribute noxattrfs;
')
- allow $1 noxattrfs:dir search_dir_perms;
- allow $1 noxattrfs:file r_file_perms;
-
+ read_files_pattern($1,noxattrfs,noxattrfs)
')
########################################
@@ -721,8 +716,7 @@ interface(`fs_manage_noxattr_fs_files',`
attribute noxattrfs;
')
- allow $1 noxattrfs:dir rw_dir_perms;
- allow $1 noxattrfs:file manage_file_perms;
+ manage_files_pattern($1,noxattrfs,noxattrfs)
')
########################################
@@ -740,8 +734,7 @@ interface(`fs_read_noxattr_fs_symlinks',`
attribute noxattrfs;
')
- allow $1 noxattrfs:dir search_dir_perms;
- allow $1 noxattrfs:lnk_file r_file_perms;
+ read_lnk_files_pattern($1,noxattrfs,noxattrfs)
')
########################################
@@ -760,7 +753,7 @@ interface(`fs_dontaudit_read_cifs_files',`
type cifs_t;
')
- dontaudit $1 cifs_t:file r_file_perms;
+ dontaudit $1 cifs_t:file read_file_perms;
')
########################################
@@ -797,8 +790,8 @@ interface(`fs_read_cifs_symlinks',`
type cifs_t;
')
- allow $1 cifs_t:dir r_dir_perms;
- allow $1 cifs_t:lnk_file r_file_perms;
+ allow $1 cifs_t:dir list_dir_perms;
+ read_lnk_files_pattern($1,cifs_t,cifs_t)
')
########################################
@@ -819,8 +812,8 @@ interface(`fs_exec_cifs_files',`
type cifs_t;
')
- allow $1 cifs_t:dir r_dir_perms;
- can_exec($1, cifs_t)
+ allow $1 cifs_t:dir list_dir_perms;
+ exec_files_pattern($1,cifs_t,cifs_t)
')
########################################
@@ -840,7 +833,7 @@ interface(`fs_manage_cifs_dirs',`
type cifs_t;
')
- allow $1 cifs_t:dir create_dir_perms;
+ allow $1 cifs_t:dir manage_dir_perms;
')
########################################
@@ -860,7 +853,7 @@ interface(`fs_dontaudit_manage_cifs_dirs',`
type cifs_t;
')
- dontaudit $1 cifs_t:dir create_dir_perms;
+ dontaudit $1 cifs_t:dir manage_dir_perms;
')
########################################
@@ -880,8 +873,7 @@ interface(`fs_manage_cifs_files',`
type cifs_t;
')
- allow $1 cifs_t:dir rw_dir_perms;
- allow $1 cifs_t:file create_file_perms;
+ manage_files_pattern($1,cifs_t,cifs_t)
')
########################################
@@ -901,7 +893,7 @@ interface(`fs_dontaudit_manage_cifs_files',`
type cifs_t;
')
- dontaudit $1 cifs_t:file create_file_perms;
+ dontaudit $1 cifs_t:file manage_file_perms;
')
########################################
@@ -920,8 +912,7 @@ interface(`fs_manage_cifs_symlinks',`
type cifs_t;
')
- allow $1 cifs_t:dir rw_dir_perms;
- allow $1 cifs_t:lnk_file create_lnk_perms;
+ manage_lnk_files_pattern($1,cifs_t,cifs_t)
')
########################################
@@ -940,8 +931,7 @@ interface(`fs_manage_cifs_named_pipes',`
type cifs_t;
')
- allow $1 cifs_t:dir rw_dir_perms;
- allow $1 cifs_t:fifo_file create_file_perms;
+ manage_fifo_files_pattern($1,cifs_t,cifs_t)
')
########################################
@@ -960,8 +950,7 @@ interface(`fs_manage_cifs_named_sockets',`
type cifs_t;
')
- allow $1 cifs_t:dir rw_file_perms;
- allow $1 cifs_t:sock_file create_file_perms;
+ manage_sock_files_pattern($1,cifs_t,cifs_t)
')
########################################
@@ -1004,9 +993,8 @@ interface(`fs_cifs_domtrans',`
type cifs_t;
')
- allow $1 cifs_t:dir search;
-
- domain_auto_trans($1,cifs_t,$2)
+ allow $1 cifs_t:dir search_dir_perms;
+ domain_auto_transition_pattern($1,cifs_t,$2)
')
########################################
@@ -1122,8 +1110,7 @@ interface(`fs_manage_dos_files',`
type dosfs_t;
')
- allow $1 dosfs_t:dir rw_dir_perms;
- allow $1 dosfs_t:file manage_file_perms;
+ manage_files_pattern($1,dosfs_t,dosfs_t)
')
########################################
@@ -1182,7 +1169,7 @@ interface(`fs_list_inotifyfs',`
type inotifyfs_t;
')
- allow $1 inotifyfs_t:dir r_dir_perms;
+ allow $1 inotifyfs_t:dir list_dir_perms;
')
########################################
@@ -1280,8 +1267,8 @@ interface(`fs_read_iso9660_files',`
')
allow $1 iso9660_t:dir list_dir_perms;
- allow $1 iso9660_t:file read_file_perms;
- allow $1 iso9660_t:lnk_file { getattr read };
+ read_files_pattern($1,iso9660_t,iso9660_t)
+ read_lnk_files_pattern($1,iso9660_t,iso9660_t)
')
########################################
@@ -1373,7 +1360,7 @@ interface(`fs_search_nfs',`
type nfs_t;
')
- allow $1 nfs_t:dir search;
+ allow $1 nfs_t:dir search_dir_perms;
')
########################################
@@ -1391,7 +1378,7 @@ interface(`fs_list_nfs',`
type nfs_t;
')
- allow $1 nfs_t:dir r_dir_perms;
+ allow $1 nfs_t:dir list_dir_perms;
')
########################################
@@ -1410,7 +1397,7 @@ interface(`fs_dontaudit_list_nfs',`
type nfs_t;
')
- dontaudit $1 nfs_t:dir r_dir_perms;
+ dontaudit $1 nfs_t:dir list_dir_perms;
')
########################################
@@ -1429,8 +1416,8 @@ interface(`fs_read_nfs_files',`
type nfs_t;
')
- allow $1 nfs_t:dir r_dir_perms;
- allow $1 nfs_t:file r_file_perms;
+ allow $1 nfs_t:dir list_dir_perms;
+ read_files_pattern($1,nfs_t,nfs_t)
')
########################################
@@ -1449,7 +1436,7 @@ interface(`fs_dontaudit_read_nfs_files',`
type nfs_t;
')
- dontaudit $1 nfs_t:file r_file_perms;
+ dontaudit $1 nfs_t:file read_file_perms;
')
########################################
@@ -1467,8 +1454,8 @@ interface(`fs_write_nfs_files',`
type nfs_t;
')
- allow $1 nfs_t:dir r_dir_perms;
- allow $1 nfs_t:file write;
+ allow $1 nfs_t:dir list_dir_perms;
+ write_files_pattern($1,nfs_t,nfs_t)
')
########################################
@@ -1487,8 +1474,8 @@ interface(`fs_exec_nfs_files',`
type nfs_t;
')
- allow $1 nfs_t:dir r_dir_perms;
- can_exec($1, nfs_t)
+ allow $1 nfs_t:dir list_dir_perms;
+ exec_files_pattern($1,nfs_t,nfs_t)
')
########################################
@@ -1525,8 +1512,8 @@ interface(`fs_read_nfs_symlinks',`
type nfs_t;
')
- allow $1 nfs_t:dir r_dir_perms;
- allow $1 nfs_t:lnk_file r_file_perms;
+ allow $1 nfs_t:dir list_dir_perms;
+ read_lnk_files_pattern($1,nfs_t,nfs_t)
')
########################################
@@ -1581,8 +1568,7 @@ interface(`fs_search_removable',`
type removable_t;
')
- allow $1 removable_t:dir { getattr read search };
-
+ allow $1 removable_t:dir search_dir_perms;
')
########################################
@@ -1599,7 +1585,8 @@ interface(`fs_dontaudit_list_removable',`
gen_require(`
type removable_t;
')
- dontaudit $1 removable_t:dir r_dir_perms;
+
+ dontaudit $1 removable_t:dir list_dir_perms;
')
########################################
@@ -1617,8 +1604,7 @@ interface(`fs_read_removable_files',`
type removable_t;
')
- allow $1 removable_t:file { read getattr };
-
+ read_files_pattern($1,removable_t,removable_t)
')
########################################
@@ -1635,7 +1621,8 @@ interface(`fs_dontaudit_read_removable_files',`
gen_require(`
type removable_t;
')
- dontaudit $1 removable_t:file r_file_perms;
+
+ dontaudit $1 removable_t:file read_file_perms;
')
########################################
@@ -1653,8 +1640,7 @@ interface(`fs_read_removable_symlinks',`
type removable_t;
')
- allow $1 removable_t:lnk_file { getattr read };
-
+ read_lnk_files_pattern($1,removable_t,removable_t)
')
########################################
@@ -1672,8 +1658,7 @@ interface(`fs_list_rpc',`
type rpc_pipefs_t;
')
- allow $1 rpc_pipefs_t:dir { getattr read search };
-
+ allow $1 rpc_pipefs_t:dir list_dir_perms;
')
########################################
@@ -1691,8 +1676,7 @@ interface(`fs_read_rpc_files',`
type rpc_pipefs_t;
')
- allow $1 rpc_pipefs_t:file { read getattr };
-
+ read_files_pattern($1,rpc_pipefs_t,rpc_pipefs_t)
')
########################################
@@ -1710,8 +1694,7 @@ interface(`fs_read_rpc_symlinks',`
type rpc_pipefs_t;
')
- allow $1 rpc_pipefs_t:lnk_file { getattr read };
-
+ read_lnk_files_pattern($1,rpc_pipefs_t,rpc_pipefs_t)
')
########################################
@@ -1750,7 +1733,7 @@ interface(`fs_manage_nfs_dirs',`
type nfs_t;
')
- allow $1 nfs_t:dir create_dir_perms;
+ allow $1 nfs_t:dir manage_dir_perms;
')
########################################
@@ -1770,7 +1753,7 @@ interface(`fs_dontaudit_manage_nfs_dirs',`
type nfs_t;
')
- dontaudit $1 nfs_t:dir create_dir_perms;
+ dontaudit $1 nfs_t:dir manage_dir_perms;
')
########################################
@@ -1790,8 +1773,7 @@ interface(`fs_manage_nfs_files',`
type nfs_t;
')
- allow $1 nfs_t:dir rw_dir_perms;
- allow $1 nfs_t:file create_file_perms;
+ manage_files_pattern($1,nfs_t,nfs_t)
')
########################################
@@ -1811,7 +1793,7 @@ interface(`fs_dontaudit_manage_nfs_files',`
type nfs_t;
')
- dontaudit $1 nfs_t:file create_file_perms;
+ dontaudit $1 nfs_t:file manage_file_perms;
')
#########################################
@@ -1831,8 +1813,7 @@ interface(`fs_manage_nfs_symlinks',`
type nfs_t;
')
- allow $1 nfs_t:dir rw_dir_perms;
- allow $1 nfs_t:lnk_file create_lnk_perms;
+ manage_lnk_files_pattern($1,nfs_t,nfs_t)
')
#########################################
@@ -1851,8 +1832,7 @@ interface(`fs_manage_nfs_named_pipes',`
type nfs_t;
')
- allow $1 nfs_t:dir rw_dir_perms;
- allow $1 nfs_t:fifo_file create_file_perms;
+ manage_fifo_files_pattern($1,nfs_t,nfs_t)
')
#########################################
@@ -1871,8 +1851,7 @@ interface(`fs_manage_nfs_named_sockets',`
type nfs_t;
')
- allow $1 nfs_t:dir rw_dir_perms;
- allow $1 nfs_t:sock_file create_file_perms;
+ manage_sock_files_pattern($1,nfs_t,nfs_t)
')
########################################
@@ -1915,9 +1894,8 @@ interface(`fs_nfs_domtrans',`
type nfs_t;
')
- allow $1 nfs_t:dir search;
-
- domain_auto_trans($1,nfs_t,$2)
+ allow $1 nfs_t:dir search_dir_perms;
+ domain_auto_transition_pattern($1,nfs_t,$2)
')
########################################
@@ -2009,7 +1987,7 @@ interface(`fs_search_nfsd_fs',`
type nfsd_fs_t;
')
- allow $1 nfsd_fs_t:dir search;
+ allow $1 nfsd_fs_t:dir search_dir_perms;
')
########################################
@@ -2027,7 +2005,7 @@ interface(`fs_rw_nfsd_fs',`
type nfsd_fs_t;
')
- allow $1 nfsd_fs_t:file rw_file_perms;
+ rw_files_pattern($1,nfsd_fs_t,nfsd_fs_t)
')
########################################
@@ -2136,7 +2114,7 @@ interface(`fs_dontaudit_search_ramfs',`
type ramfs_t;
')
- dontaudit $1 ramfs_t:dir search;
+ dontaudit $1 ramfs_t:dir search_dir_perms;
')
########################################
@@ -2210,8 +2188,7 @@ interface(`fs_manage_ramfs_files',`
type ramfs_t;
')
- allow $1 ramfs_t:dir rw_dir_perms;
- allow $1 ramfs_t:file manage_file_perms;
+ manage_files_pattern($1,ramfs_t,ramfs_t)
')
########################################
@@ -2229,8 +2206,7 @@ interface(`fs_write_ramfs_pipes',`
type ramfs_t;
')
- allow $1 ramfs_t:dir search_dir_perms;
- allow $1 ramfs_t:fifo_file write;
+ write_fifo_files_pattern($1,ramfs_t,ramfs_t)
')
########################################
@@ -2267,8 +2243,7 @@ interface(`fs_rw_ramfs_pipes',`
type ramfs_t;
')
- allow $1 ramfs_t:dir search_dir_perms;
- allow $1 ramfs_t:fifo_file rw_file_perms;
+ rw_fifo_files_pattern($1,ramfs_t,ramfs_t)
')
########################################
@@ -2287,8 +2262,7 @@ interface(`fs_manage_ramfs_pipes',`
type ramfs_t;
')
- allow $1 ramfs_t:dir rw_dir_perms;
- allow $1 ramfs_t:fifo_file manage_file_perms;
+ manage_fifo_files_pattern($1,ramfs_t,ramfs_t)
')
########################################
@@ -2306,7 +2280,7 @@ interface(`fs_write_ramfs_sockets',`
type ramfs_t;
')
- allow $1 ramfs_t:sock_file write;
+ write_sock_files_pattern($1,ramfs_t,ramfs_t)
')
########################################
@@ -2325,8 +2299,7 @@ interface(`fs_manage_ramfs_sockets',`
type ramfs_t;
')
- allow $1 ramfs_t:dir rw_dir_perms;
- allow $1 ramfs_t:sock_file manage_file_perms;
+ manage_sock_files_pattern($1,ramfs_t,ramfs_t)
')
########################################
@@ -2657,7 +2630,7 @@ interface(`fs_search_tmpfs',`
type tmpfs_t;
')
- allow $1 tmpfs_t:dir search;
+ allow $1 tmpfs_t:dir search_dir_perms;
')
########################################
@@ -2675,7 +2648,7 @@ interface(`fs_list_tmpfs',`
type tmpfs_t;
')
- allow $1 tmpfs_t:dir r_dir_perms;
+ allow $1 tmpfs_t:dir list_dir_perms;
')
########################################
@@ -2694,7 +2667,7 @@ interface(`fs_dontaudit_list_tmpfs',`
type tmpfs_t;
')
- dontaudit $1 tmpfs_t:dir r_dir_perms;
+ dontaudit $1 tmpfs_t:dir list_dir_perms;
')
########################################
@@ -2713,7 +2686,7 @@ interface(`fs_manage_tmpfs_dirs',`
type tmpfs_t;
')
- allow $1 tmpfs_t:dir create_dir_perms;
+ allow $1 tmpfs_t:dir manage_dir_perms;
')
########################################
@@ -2743,8 +2716,7 @@ interface(`fs_tmpfs_filetrans',`
')
allow $2 tmpfs_t:filesystem associate;
- allow $1 tmpfs_t:dir rw_dir_perms;
- type_transition $1 tmpfs_t:$3 $2;
+ filetrans_pattern($1,tmpfs_t,$2,$3)
')
########################################
@@ -2800,8 +2772,7 @@ interface(`fs_rw_tmpfs_files',`
type tmpfs_t;
')
- fs_search_tmpfs($1)
- allow $1 tmpfs_t:file rw_file_perms;
+ rw_files_pattern($1,tmpfs_t,tmpfs_t)
')
########################################
@@ -2819,8 +2790,7 @@ interface(`fs_read_tmpfs_symlinks',`
type tmpfs_t;
')
- fs_search_tmpfs($1)
- allow $1 tmpfs_t:lnk_file read;
+ read_lnk_files_pattern($1,tmpfs_t,tmpfs_t)
')
########################################
@@ -2838,8 +2808,8 @@ interface(`fs_rw_tmpfs_chr_files',`
type tmpfs_t;
')
- allow $1 tmpfs_t:dir r_dir_perms;
- allow $1 tmpfs_t:chr_file rw_file_perms;
+ allow $1 tmpfs_t:dir list_dir_perms;
+ rw_chr_files_pattern($1,tmpfs_t,tmpfs_t)
')
########################################
@@ -2857,8 +2827,8 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
type tmpfs_t;
')
- dontaudit $1 tmpfs_t:dir r_dir_perms;
- dontaudit $1 tmpfs_t:chr_file rw_file_perms;
+ dontaudit $1 tmpfs_t:dir list_dir_perms;
+ dontaudit $1 tmpfs_t:chr_file rw_chr_file_perms;
')
########################################
@@ -2876,8 +2846,8 @@ interface(`fs_relabel_tmpfs_chr_file',`
type tmpfs_t;
')
- allow $1 tmpfs_t:dir r_dir_perms;
- allow $1 tmpfs_t:chr_file { getattr relabelfrom relabelto };
+ allow $1 tmpfs_t:dir list_dir_perms;
+ relabel_chr_files_pattern($1,tmpfs_t,tmpfs_t)
')
########################################
@@ -2895,8 +2865,8 @@ interface(`fs_rw_tmpfs_blk_files',`
type tmpfs_t;
')
- allow $1 tmpfs_t:dir r_dir_perms;
- allow $1 tmpfs_t:blk_file rw_file_perms;
+ allow $1 tmpfs_t:dir list_dir_perms;
+ rw_blk_files_pattern($1,tmpfs_t,tmpfs_t)
')
########################################
@@ -2914,8 +2884,8 @@ interface(`fs_relabel_tmpfs_blk_file',`
type tmpfs_t;
')
- allow $1 tmpfs_t:dir r_dir_perms;
- allow $1 tmpfs_t:blk_file { getattr relabelfrom relabelto };
+ allow $1 tmpfs_t:dir list_dir_perms;
+ relabel_blk_files_pattern($1,tmpfs_t,tmpfs_t)
')
########################################
@@ -2934,8 +2904,7 @@ interface(`fs_manage_tmpfs_files',`
type tmpfs_t;
')
- allow $1 tmpfs_t:dir rw_dir_perms;
- allow $1 tmpfs_t:file create_file_perms;
+ manage_files_pattern($1,tmpfs_t,tmpfs_t)
')
########################################
@@ -2954,8 +2923,7 @@ interface(`fs_manage_tmpfs_symlinks',`
type tmpfs_t;
')
- allow $1 tmpfs_t:dir rw_dir_perms;
- allow $1 tmpfs_t:lnk_file create_lnk_perms;
+ manage_lnk_files_pattern($1,tmpfs_t,tmpfs_t)
')
########################################
@@ -2974,8 +2942,7 @@ interface(`fs_manage_tmpfs_sockets',`
type tmpfs_t;
')
- allow $1 tmpfs_t:dir rw_dir_perms;
- allow $1 tmpfs_t:sock_file create_file_perms;
+ manage_sock_files_pattern($1,tmpfs_t,tmpfs_t)
')
########################################
@@ -2994,8 +2961,7 @@ interface(`fs_manage_tmpfs_chr_files',`
type tmpfs_t;
')
- allow $1 tmpfs_t:dir rw_dir_perms;
- allow $1 tmpfs_t:chr_file create_file_perms;
+ manage_chr_files_pattern($1,tmpfs_t,tmpfs_t)
')
########################################
@@ -3014,8 +2980,7 @@ interface(`fs_manage_tmpfs_blk_files',`
type tmpfs_t;
')
- allow $1 tmpfs_t:dir rw_dir_perms;
- allow $1 tmpfs_t:blk_file create_file_perms;
+ manage_blk_files_pattern($1,tmpfs_t,tmpfs_t)
')
########################################
@@ -3220,7 +3185,7 @@ interface(`fs_list_all',`
attribute filesystem_type;
')
- allow $1 filesystem_type:dir r_dir_perms;
+ allow $1 filesystem_type:dir list_dir_perms;
')
########################################
@@ -3239,8 +3204,7 @@ interface(`fs_getattr_all_files',`
attribute filesystem_type;
')
- allow $1 filesystem_type:dir { search getattr };
- allow $1 filesystem_type:file getattr;
+ getattr_files_pattern($1,filesystem_type,filesystem_type)
')
########################################
@@ -3259,8 +3223,7 @@ interface(`fs_getattr_all_symlinks',`
attribute filesystem_type;
')
- allow $1 filesystem_type:dir { search getattr };
- allow $1 filesystem_type:lnk_file getattr;
+ getattr_lnk_files_pattern($1,filesystem_type,filesystem_type)
')
########################################
@@ -3279,8 +3242,7 @@ interface(`fs_getattr_all_pipes',`
attribute filesystem_type;
')
- allow $1 filesystem_type:dir { search getattr };
- allow $1 filesystem_type:fifo_file getattr;
+ getattr_fifo_files_pattern($1,filesystem_type,filesystem_type)
')
########################################
@@ -3299,8 +3261,7 @@ interface(`fs_getattr_all_sockets',`
attribute filesystem_type;
')
- allow $1 filesystem_type:dir { search getattr };
- allow $1 filesystem_type:sock_file getattr;
+ getattr_sock_files_pattern($1,filesystem_type,filesystem_type)
')
########################################
@@ -3413,11 +3374,12 @@ interface(`fs_relabelfrom_noxattr_fs',`
attribute noxattrfs;
')
- allow $1 noxattrfs:dir { list_dir_perms relabelfrom };
- allow $1 noxattrfs:file { getattr relabelfrom };
- allow $1 noxattrfs:lnk_file { getattr relabelfrom };
- allow $1 noxattrfs:fifo_file { getattr relabelfrom };
- allow $1 noxattrfs:sock_file { getattr relabelfrom };
- allow $1 noxattrfs:blk_file { getattr relabelfrom };
- allow $1 noxattrfs:chr_file { getattr relabelfrom };
+ allow $1 noxattrfs:dir list_dir_perms;
+ relabelfrom_dirs_pattern($1,noxattrfs,noxattrfs)
+ relabelfrom_files_pattern($1,noxattrfs,noxattrfs)
+ relabelfrom_lnk_files_pattern($1,noxattrfs,noxattrfs)
+ relabelfrom_fifo_files_pattern($1,noxattrfs,noxattrfs)
+ relabelfrom_sock_files_pattern($1,noxattrfs,noxattrfs)
+ relabelfrom_blk_files_pattern($1,noxattrfs,noxattrfs)
+ relabelfrom_chr_files_pattern($1,noxattrfs,noxattrfs)
')
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 14194f21..1b65900e 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -27,12 +27,7 @@ interface(`kernel_domtrans_to',`
type kernel_t;
')
- domain_auto_trans(kernel_t, $2, $1)
-
- allow kernel_t $1:fd use;
- allow $1 kernel_t:fd use;
- allow $1 kernel_t:fifo_file rw_file_perms;
- allow $1 kernel_t:process sigchld;
+ domtrans_pattern(kernel_t, $2, $1)
')
########################################
@@ -534,7 +529,7 @@ interface(`kernel_search_debugfs',`
type debugfs_t;
')
- allow $1 debugfs_t:dir search;
+ search_dirs_pattern($1,debugfs_t,debugfs_t)
')
########################################
@@ -552,9 +547,9 @@ interface(`kernel_read_debugfs',`
type debugfs_t;
')
- allow $1 debugfs_t:dir r_dir_perms;
- allow $1 debugfs_t:file r_file_perms;
- allow $1 debugfs_t:lnk_file { getattr read };
+ read_files_pattern($1,debugfs_t,debugfs_t)
+ read_lnk_files_pattern($1,debugfs_t,debugfs_t)
+ list_dirs_pattern($1,debugfs_t,debugfs_t)
')
########################################
@@ -608,7 +603,7 @@ interface(`kernel_search_proc',`
type proc_t;
')
- allow $1 proc_t:dir search;
+ search_dirs_pattern($1,proc_t,proc_t)
')
########################################
@@ -626,7 +621,7 @@ interface(`kernel_list_proc',`
type proc_t;
')
- allow $1 proc_t:dir r_dir_perms;
+ list_dirs_pattern($1,proc_t,proc_t)
')
########################################
@@ -663,8 +658,7 @@ interface(`kernel_getattr_proc_files',`
type proc_t;
')
- allow $1 proc_t:dir search;
- allow $1 proc_t:file getattr;
+ getattr_files_pattern($1,proc_t,proc_t)
')
########################################
@@ -682,8 +676,7 @@ interface(`kernel_read_proc_symlinks',`
type proc_t;
')
- allow $1 proc_t:dir search;
- allow $1 proc_t:lnk_file { getattr read };
+ read_lnk_files_pattern($1,proc_t,proc_t)
')
########################################
@@ -702,9 +695,10 @@ interface(`kernel_read_system_state',`
type proc_t;
')
- allow $1 proc_t:dir r_dir_perms;
- allow $1 proc_t:lnk_file { getattr read };
- allow $1 proc_t:file r_file_perms;
+ read_files_pattern($1,proc_t,proc_t)
+ read_lnk_files_pattern($1,proc_t,proc_t)
+
+ list_dirs_pattern($1,proc_t,proc_t)
')
########################################
@@ -727,8 +721,7 @@ interface(`kernel_write_proc_files',`
type proc_t;
')
- allow $1 proc_t:dir search;
- allow $1 proc_t:file { append write };
+ write_files_pattern($1,proc_t,proc_t)
')
########################################
@@ -785,8 +778,9 @@ interface(`kernel_read_software_raid_state',`
type proc_t, proc_mdstat_t;
')
- allow $1 proc_t:dir r_dir_perms;
- allow $1 proc_mdstat_t:file r_file_perms;
+ read_files_pattern($1,proc_t,proc_mdstat_t)
+
+ list_dirs_pattern($1,proc_t,proc_t)
')
#######################################
@@ -804,8 +798,9 @@ interface(`kernel_rw_software_raid_state',`
type proc_t, proc_mdstat_t;
')
- allow $1 proc_t:dir r_dir_perms;
- allow $1 proc_mdstat_t:file rw_file_perms;
+ rw_files_pattern($1,proc_t,proc_mdstat_t)
+
+ list_dirs_pattern($1,proc_t,proc_t)
')
########################################
@@ -823,8 +818,9 @@ interface(`kernel_getattr_core_if',`
type proc_t, proc_kcore_t;
')
- allow $1 proc_t:dir r_dir_perms;
- allow $1 proc_kcore_t:file getattr;
+ getattr_files_pattern($1,proc_t,proc_kcore_t)
+
+ list_dirs_pattern($1,proc_t,proc_t)
')
########################################
@@ -863,8 +859,8 @@ interface(`kernel_read_messages',`
type proc_kmsg_t, proc_t;
')
- allow $1 proc_t:dir search;
- allow $1 proc_kmsg_t:file r_file_perms;
+ read_files_pattern($1,proc_t,proc_kmsg_t)
+
typeattribute $1 can_receive_kernel_messages;
')
@@ -884,8 +880,7 @@ interface(`kernel_getattr_message_if',`
type proc_kmsg_t, proc_t;
')
- allow $1 proc_t:dir search;
- allow $1 proc_kmsg_t:file getattr;
+ getattr_files_pattern($1,proc_t,proc_kmsg_t)
')
########################################
@@ -943,7 +938,7 @@ interface(`kernel_search_network_state',`
type proc_net_t;
')
- allow $1 proc_net_t:dir search;
+ search_dirs_pattern($1,proc_t,proc_net_t)
')
########################################
@@ -962,10 +957,10 @@ interface(`kernel_read_network_state',`
type proc_t, proc_net_t;
')
- allow $1 proc_t:dir search;
- allow $1 proc_net_t:dir r_dir_perms;
- allow $1 proc_net_t:file r_file_perms;
- allow $1 proc_net_t:lnk_file { getattr read };
+ read_files_pattern($1,{ proc_t proc_net_t },proc_net_t)
+ read_lnk_files_pattern($1,{ proc_t proc_net_t },proc_net_t)
+
+ list_dirs_pattern($1,proc_t,proc_net_t)
')
########################################
@@ -983,9 +978,9 @@ interface(`kernel_read_network_state_symlinks',`
type proc_t, proc_net_t;
')
- allow $1 proc_t:dir search;
- allow $1 proc_net_t:dir r_dir_perms;
- allow $1 proc_net_t:lnk_file r_file_perms;
+ read_lnk_files_pattern($1,{ proc_t proc_net_t },proc_net_t)
+
+ list_dirs_pattern($1,proc_t,proc_net_t)
')
########################################
@@ -1004,8 +999,7 @@ interface(`kernel_search_xen_state',`
type proc_t, proc_xen_t;
')
- allow $1 proc_t:dir search_dir_perms;
- allow $1 proc_xen_t:dir search_dir_perms;
+ search_dirs_pattern($1,proc_t,proc_xen_t)
')
########################################
@@ -1044,10 +1038,10 @@ interface(`kernel_read_xen_state',`
type proc_t, proc_xen_t;
')
- allow $1 proc_t:dir search_dir_perms;
- allow $1 proc_xen_t:dir r_dir_perms;
- allow $1 proc_xen_t:file r_file_perms;
- allow $1 proc_xen_t:lnk_file { getattr read };
+ read_files_pattern($1,{ proc_t proc_xen_t },proc_xen_t)
+ read_lnk_files_pattern($1,{ proc_t proc_xen_t },proc_xen_t)
+
+ list_dirs_pattern($1,proc_t,proc_xen_t)
')
########################################
@@ -1066,9 +1060,9 @@ interface(`kernel_read_xen_state_symlinks',`
type proc_t, proc_xen_t;
')
- allow $1 proc_t:dir search;
- allow $1 proc_xen_t:dir r_dir_perms;
- allow $1 proc_xen_t:lnk_file r_file_perms;
+ read_lnk_files_pattern($1,{ proc_t proc_xen_t },proc_xen_t)
+
+ list_dirs_pattern($1,proc_t,proc_xen_t)
')
########################################
@@ -1087,9 +1081,7 @@ interface(`kernel_write_xen_state',`
type proc_t, proc_xen_t;
')
- allow $1 proc_t:dir search;
- allow $1 proc_xen_t:dir r_dir_perms;
- allow $1 proc_xen_t:file write;
+ write_files_pattern($1,{ proc_t proc_xen_t },proc_xen_t)
')
########################################
@@ -1146,7 +1138,7 @@ interface(`kernel_read_sysctl',`
type sysctl_t;
')
- allow $1 sysctl_t:dir r_dir_perms;
+ list_dirs_pattern($1,proc_t,sysctl_t)
')
########################################
@@ -1165,10 +1157,9 @@ interface(`kernel_read_device_sysctls',`
type proc_t, sysctl_t, sysctl_dev_t;
')
- allow $1 proc_t:dir search;
- allow $1 sysctl_t:dir r_dir_perms;
- allow $1 sysctl_dev_t:dir r_dir_perms;
- allow $1 sysctl_dev_t:file r_file_perms;
+ read_files_pattern($1,{ proc_t sysctl_t sysctl_dev_t },sysctl_dev_t)
+
+ list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_dev_t)
')
########################################
@@ -1187,9 +1178,9 @@ interface(`kernel_rw_device_sysctls',`
type proc_t, sysctl_t, sysctl_dev_t;
')
- allow $1 proc_t:dir search;
- allow $1 sysctl_t:dir r_dir_perms;
- allow $1 sysctl_dev_t:file rw_file_perms;
+ rw_files_pattern($1,{ proc_t sysctl_t sysctl_dev_t },sysctl_dev_t)
+
+ list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_dev_t)
')
########################################
@@ -1207,7 +1198,7 @@ interface(`kernel_search_vm_sysctl',`
type proc_t, sysctl_t, sysctl_vm_t;
')
- allow $1 { proc_t sysctl_t sysctl_vm_t }:dir search_dir_perms;
+ search_dirs_pattern($1,{ proc_t sysctl_t },sysctl_vm_t)
')
########################################
@@ -1226,9 +1217,9 @@ interface(`kernel_read_vm_sysctls',`
type proc_t, sysctl_t, sysctl_vm_t;
')
- allow $1 proc_t:dir search;
- allow $1 sysctl_t:dir r_dir_perms;
- allow $1 sysctl_vm_t:file r_file_perms;
+ read_files_pattern($1,{ proc_t sysctl_t sysctl_vm_t },sysctl_vm_t)
+
+ list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_vm_t)
')
########################################
@@ -1247,10 +1238,8 @@ interface(`kernel_rw_vm_sysctls',`
type proc_t, sysctl_t, sysctl_vm_t;
')
- allow $1 proc_t:dir search;
- allow $1 sysctl_t:dir r_dir_perms;
- allow $1 sysctl_vm_t:dir list_dir_perms;
- allow $1 sysctl_vm_t:file rw_file_perms;
+ rw_files_pattern($1,{ proc_t sysctl_t sysctl_vm_t },sysctl_vm_t)
+ list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_vm_t)
# hal needs this
allow $1 sysctl_vm_t:dir write;
@@ -1271,7 +1260,7 @@ interface(`kernel_search_network_sysctl',`
type proc_t, sysctl_t, sysctl_net_t;
')
- allow $1 { proc_t sysctl_t sysctl_net_t }:dir search;
+ search_dirs_pattern($1,{ proc_t sysctl_t },sysctl_net_t)
')
########################################
@@ -1308,10 +1297,9 @@ interface(`kernel_read_net_sysctls',`
type proc_t, sysctl_t, sysctl_net_t;
')
- allow $1 proc_t:dir search;
- allow $1 sysctl_t:dir r_dir_perms;
- allow $1 sysctl_net_t:dir r_dir_perms;
- allow $1 sysctl_net_t:file r_file_perms;
+ read_files_pattern($1,{ proc_t sysctl_t sysctl_net_t },sysctl_net_t)
+
+ list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_net_t)
')
########################################
@@ -1330,10 +1318,9 @@ interface(`kernel_rw_net_sysctls',`
type proc_t, sysctl_t, sysctl_net_t;
')
- allow $1 proc_t:dir search;
- allow $1 sysctl_t:dir r_dir_perms;
- allow $1 sysctl_net_t:dir r_dir_perms;
- allow $1 sysctl_net_t:file rw_file_perms;
+ rw_files_pattern($1,{ proc_t sysctl_t sysctl_net_t },sysctl_net_t)
+
+ list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_net_t)
')
########################################
@@ -1353,10 +1340,9 @@ interface(`kernel_read_unix_sysctls',`
type proc_t, sysctl_t, sysctl_net_t, sysctl_net_unix_t;
')
- allow $1 proc_t:dir search;
- allow $1 sysctl_t:dir r_dir_perms;
- allow $1 sysctl_net_t:dir r_dir_perms;
- allow $1 sysctl_net_unix_t:file r_file_perms;
+ read_files_pattern($1,{ proc_t sysctl_t sysctl_net_t },sysctl_net_unix_t)
+
+ list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_net_t)
')
########################################
@@ -1376,10 +1362,9 @@ interface(`kernel_rw_unix_sysctls',`
type proc_t, sysctl_t, sysctl_net_t, sysctl_net_unix_t;
')
- allow $1 proc_t:dir search;
- allow $1 sysctl_t:dir r_dir_perms;
- allow $1 sysctl_net_t:dir r_dir_perms;
- allow $1 sysctl_net_unix_t:file rw_file_perms;
+ rw_files_pattern($1,{ proc_t sysctl_t sysctl_net_t },sysctl_net_unix_t)
+
+ list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_net_t)
')
########################################
@@ -1398,10 +1383,9 @@ interface(`kernel_read_hotplug_sysctls',`
type proc_t, sysctl_t, sysctl_kernel_t, sysctl_hotplug_t;
')
- allow $1 proc_t:dir search;
- allow $1 sysctl_t:dir r_dir_perms;
- allow $1 sysctl_kernel_t:dir r_dir_perms;
- allow $1 sysctl_hotplug_t:file r_file_perms;
+ read_files_pattern($1,{ proc_t sysctl_t sysctl_kernel_t },sysctl_hotplug_t)
+
+ list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_kernel_t)
')
########################################
@@ -1420,10 +1404,9 @@ interface(`kernel_rw_hotplug_sysctls',`
type proc_t, sysctl_t, sysctl_kernel_t, sysctl_hotplug_t;
')
- allow $1 proc_t:dir search;
- allow $1 sysctl_t:dir r_dir_perms;
- allow $1 sysctl_kernel_t:dir r_dir_perms;
- allow $1 sysctl_hotplug_t:file rw_file_perms;
+ rw_files_pattern($1,{ proc_t sysctl_t sysctl_kernel_t },sysctl_hotplug_t)
+
+ list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_kernel_t)
')
########################################
@@ -1442,10 +1425,9 @@ interface(`kernel_read_modprobe_sysctls',`
type proc_t, sysctl_t, sysctl_kernel_t, sysctl_modprobe_t;
')
- allow $1 proc_t:dir search;
- allow $1 sysctl_t:dir r_dir_perms;
- allow $1 sysctl_kernel_t:dir r_dir_perms;
- allow $1 sysctl_modprobe_t:file r_file_perms;
+ read_files_pattern($1,{ proc_t sysctl_t sysctl_kernel_t },sysctl_modprobe_t)
+
+ list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_kernel_t)
')
########################################
@@ -1464,10 +1446,9 @@ interface(`kernel_rw_modprobe_sysctls',`
type proc_t, sysctl_t, sysctl_kernel_t, sysctl_modprobe_t;
')
- allow $1 proc_t:dir search;
- allow $1 sysctl_t:dir r_dir_perms;
- allow $1 sysctl_kernel_t:dir r_dir_perms;
- allow $1 sysctl_modprobe_t:file rw_file_perms;
+ rw_files_pattern($1,{ proc_t sysctl_t sysctl_kernel_t },sysctl_modprobe_t)
+
+ list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_kernel_t)
')
########################################
@@ -1503,10 +1484,9 @@ interface(`kernel_read_kernel_sysctls',`
type proc_t, sysctl_t, sysctl_kernel_t;
')
- allow $1 proc_t:dir search_dir_perms;
- allow $1 sysctl_t:dir r_dir_perms;
- allow $1 sysctl_kernel_t:dir r_dir_perms;
- allow $1 sysctl_kernel_t:file r_file_perms;
+ read_files_pattern($1,{ proc_t sysctl_t sysctl_kernel_t },sysctl_kernel_t)
+
+ list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_kernel_t)
')
########################################
@@ -1543,10 +1523,9 @@ interface(`kernel_rw_kernel_sysctl',`
type proc_t, sysctl_t, sysctl_kernel_t;
')
- allow $1 proc_t:dir search;
- allow $1 sysctl_t:dir r_dir_perms;
- allow $1 sysctl_kernel_t:dir r_dir_perms;
- allow $1 sysctl_kernel_t:file rw_file_perms;
+ rw_files_pattern($1,{ proc_t sysctl_t sysctl_kernel_t },sysctl_kernel_t)
+
+ list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_kernel_t)
')
########################################
@@ -1565,10 +1544,9 @@ interface(`kernel_read_fs_sysctls',`
type proc_t, sysctl_t, sysctl_fs_t;
')
- allow $1 proc_t:dir search;
- allow $1 sysctl_t:dir r_dir_perms;
- allow $1 sysctl_fs_t:dir r_dir_perms;
- allow $1 sysctl_fs_t:file r_file_perms;
+ read_files_pattern($1,{ proc_t sysctl_t sysctl_fs_t },sysctl_fs_t)
+
+ list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_fs_t)
')
########################################
@@ -1587,10 +1565,9 @@ interface(`kernel_rw_fs_sysctls',`
type proc_t, sysctl_t, sysctl_fs_t;
')
- allow $1 proc_t:dir search;
- allow $1 sysctl_t:dir r_dir_perms;
- allow $1 sysctl_fs_t:dir r_dir_perms;
- allow $1 sysctl_fs_t:file rw_file_perms;
+ rw_files_pattern($1,{ proc_t sysctl_t sysctl_fs_t },sysctl_fs_t)
+
+ list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_fs_t)
')
########################################
@@ -1609,9 +1586,9 @@ interface(`kernel_read_irq_sysctls',`
type proc_t, sysctl_irq_t;
')
- allow $1 proc_t:dir search;
- allow $1 sysctl_irq_t:dir r_dir_perms;
- allow $1 sysctl_irq_t:file r_file_perms;
+ read_files_pattern($1,{ proc_t sysctl_irq_t },sysctl_irq_t)
+
+ list_dirs_pattern($1,proc_t,sysctl_irq_t)
')
########################################
@@ -1630,9 +1607,9 @@ interface(`kernel_rw_irq_sysctls',`
type proc_t, sysctl_irq_t;
')
- allow $1 proc_t:dir search;
- allow $1 sysctl_irq_t:dir r_dir_perms;
- allow $1 sysctl_irq_t:file rw_file_perms;
+ rw_files_pattern($1,{ proc_t sysctl_irq_t },sysctl_irq_t)
+
+ list_dirs_pattern($1,proc_t,sysctl_irq_t)
')
########################################
@@ -1651,10 +1628,9 @@ interface(`kernel_read_rpc_sysctls',`
type proc_t, proc_net_t, sysctl_rpc_t;
')
- allow $1 proc_t:dir search;
- allow $1 proc_net_t:dir search;
- allow $1 sysctl_rpc_t:dir r_dir_perms;
- allow $1 sysctl_rpc_t:file r_file_perms;
+ read_files_pattern($1,{ proc_t proc_net_t sysctl_rpc_t },sysctl_rpc_t)
+
+ list_dirs_pattern($1,{ proc_t proc_net_t },sysctl_rpc_t)
')
########################################
@@ -1673,10 +1649,9 @@ interface(`kernel_rw_rpc_sysctls',`
type proc_t, proc_net_t, sysctl_rpc_t;
')
- allow $1 proc_t:dir search;
- allow $1 proc_net_t:dir search;
- allow $1 sysctl_rpc_t:dir r_dir_perms;
- allow $1 sysctl_rpc_t:file rw_file_perms;
+ rw_files_pattern($1,{ proc_t proc_net_t sysctl_rpc_t },sysctl_rpc_t)
+
+ list_dirs_pattern($1,{ proc_t proc_net_t },sysctl_rpc_t)
')
########################################
@@ -1715,10 +1690,9 @@ interface(`kernel_read_all_sysctls',`
')
# proc_net_t for /proc/net/rpc sysctls
- allow $1 { proc_t proc_net_t }:dir search;
+ read_files_pattern($1,{ proc_t proc_net_t sysctl_type },sysctl_type)
- allow $1 sysctl_type:dir r_dir_perms;
- allow $1 sysctl_type:file r_file_perms;
+ list_dirs_pattern($1,{ proc_t proc_net_t },sysctl_type)
')
########################################
@@ -1739,10 +1713,11 @@ interface(`kernel_rw_all_sysctls',`
')
# proc_net_t for /proc/net/rpc sysctls
- allow $1 { proc_t proc_net_t }:dir search;
+ rw_files_pattern($1,{ proc_t proc_net_t sysctl_type },sysctl_type)
- allow $1 sysctl_type:dir r_dir_perms;
- allow $1 sysctl_type:file { rw_file_perms setattr };
+ allow $1 sysctl_type:dir list_dir_perms;
+ # why is setattr needed?
+ allow $1 sysctl_type:file setattr;
')
########################################
@@ -1850,7 +1825,7 @@ interface(`kernel_list_unlabeled',`
type unlabeled_t;
')
- allow $1 unlabeled_t:dir r_dir_perms;
+ allow $1 unlabeled_t:dir list_dir_perms;
')
########################################
diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
index 4ee5f72b..bc7c8400 100644
--- a/policy/modules/kernel/storage.if
+++ b/policy/modules/kernel/storage.if
@@ -99,7 +99,7 @@ interface(`storage_raw_read_fixed_disk',`
')
dev_list_all_dev_nodes($1)
- allow $1 fixed_disk_device_t:blk_file r_file_perms;
+ allow $1 fixed_disk_device_t:blk_file read_blk_file_perms;
typeattribute $1 fixed_disk_raw_read;
')
@@ -143,7 +143,7 @@ interface(`storage_raw_write_fixed_disk',`
')
dev_list_all_dev_nodes($1)
- allow $1 fixed_disk_device_t:blk_file { getattr write append ioctl };
+ allow $1 fixed_disk_device_t:blk_file write_blk_file_perms;
typeattribute $1 fixed_disk_raw_write;
')
@@ -164,7 +164,7 @@ interface(`storage_dontaudit_write_fixed_disk',`
')
- dontaudit $1 fixed_disk_device_t:blk_file { write append ioctl };
+ dontaudit $1 fixed_disk_device_t:blk_file write_blk_file_perms;
')
########################################
@@ -184,7 +184,7 @@ interface(`storage_manage_fixed_disk',`
')
dev_list_all_dev_nodes($1)
- allow $1 fixed_disk_device_t:blk_file create_file_perms;
+ allow $1 fixed_disk_device_t:blk_file manage_blk_file_perms;
typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
')
@@ -242,7 +242,7 @@ interface(`storage_relabel_fixed_disk',`
')
dev_list_all_dev_nodes($1)
- allow $1 fixed_disk_device_t:blk_file { relabelfrom relabelto };
+ allow $1 fixed_disk_device_t:blk_file relabel_blk_file_perms;
')
########################################
@@ -325,7 +325,7 @@ interface(`storage_read_scsi_generic',`
')
dev_list_all_dev_nodes($1)
- allow $1 scsi_generic_device_t:chr_file r_file_perms;
+ allow $1 scsi_generic_device_t:chr_file read_chr_file_perms;
typeattribute $1 scsi_generic_read;
')
@@ -350,7 +350,7 @@ interface(`storage_write_scsi_generic',`
')
dev_list_all_dev_nodes($1)
- allow $1 scsi_generic_device_t:chr_file { getattr write ioctl };
+ allow $1 scsi_generic_device_t:chr_file write_chr_file_perms;
typeattribute $1 scsi_generic_write;
')
@@ -511,7 +511,7 @@ interface(`storage_raw_read_removable_device',`
')
dev_list_all_dev_nodes($1)
- allow $1 removable_device_t:blk_file r_file_perms;
+ allow $1 removable_device_t:blk_file read_blk_file_perms;
')
########################################
@@ -529,7 +529,7 @@ interface(`storage_dontaudit_raw_read_removable_device',`
type removable_device_t;
')
- dontaudit $1 removable_device_t:blk_file r_file_perms;
+ dontaudit $1 removable_device_t:blk_file read_blk_file_perms;
')
########################################
@@ -552,7 +552,7 @@ interface(`storage_raw_write_removable_device',`
')
dev_list_all_dev_nodes($1)
- allow $1 removable_device_t:blk_file { getattr write ioctl };
+ allow $1 removable_device_t:blk_file write_blk_file_perms;
')
########################################
@@ -570,7 +570,7 @@ interface(`storage_dontaudit_raw_write_removable_device',`
type removable_device_t;
')
- dontaudit $1 removable_device_t:blk_file { write append ioctl };
+ dontaudit $1 removable_device_t:blk_file write_blk_file_perms;
')
########################################
@@ -590,7 +590,7 @@ interface(`storage_read_tape',`
')
dev_list_all_dev_nodes($1)
- allow $1 tape_device_t:chr_file r_file_perms;
+ allow $1 tape_device_t:chr_file read_chr_file_perms;
')
########################################
@@ -610,7 +610,7 @@ interface(`storage_write_tape',`
')
dev_list_all_dev_nodes($1)
- allow $1 tape_device_t:chr_file { getattr write ioctl };
+ allow $1 tape_device_t:chr_file write_chr_file_perms;
')
########################################
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
index a73376b3..1e2d7036 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -153,7 +153,7 @@ interface(`term_create_pty',`
dev_list_all_dev_nodes($1)
allow $1 ptmx_t:chr_file rw_file_perms;
- allow $1 devpts_t:dir r_dir_perms;
+ allow $1 devpts_t:dir list_dir_perms;
allow $1 devpts_t:filesystem getattr;
dontaudit $1 bsdpty_device_t:chr_file { getattr read write };
type_transition $1 devpts_t:chr_file $2;
@@ -178,7 +178,7 @@ interface(`term_use_all_terms',`
')
dev_list_all_dev_nodes($1)
- allow $1 devpts_t:dir r_dir_perms;
+ allow $1 devpts_t:dir list_dir_perms;
allow $1 { console_device_t tty_device_t ttynode ptynode }:chr_file rw_file_perms;
')
@@ -199,7 +199,7 @@ interface(`term_write_console',`
')
dev_list_all_dev_nodes($1)
- allow $1 console_device_t:chr_file { getattr write append };
+ allow $1 console_device_t:chr_file write_chr_file_perms;
')
########################################
@@ -219,7 +219,7 @@ interface(`term_read_console',`
')
dev_list_all_dev_nodes($1)
- allow $1 console_device_t:chr_file read;
+ allow $1 console_device_t:chr_file read_chr_file_perms;
')
########################################
@@ -239,7 +239,7 @@ interface(`term_use_console',`
')
dev_list_all_dev_nodes($1)
- allow $1 console_device_t:chr_file rw_file_perms;
+ allow $1 console_device_t:chr_file rw_chr_file_perms;
')
########################################
@@ -258,7 +258,7 @@ interface(`term_dontaudit_use_console',`
type console_device_t;
')
- dontaudit $1 console_device_t:chr_file rw_file_perms;
+ dontaudit $1 console_device_t:chr_file rw_chr_file_perms;
')
########################################
@@ -294,12 +294,11 @@ interface(`term_setattr_console',`
#
interface(`term_create_console_dev',`
gen_require(`
- type device_t, console_device_t;
+ type console_device_t;
')
- allow $1 device_t:dir add_entry_dir_perms;
+ dev_add_entry_generic_dirs($1)
allow $1 console_device_t:chr_file create;
-
allow $1 self:capability mknod;
')
@@ -356,7 +355,7 @@ interface(`term_search_ptys',`
')
dev_list_all_dev_nodes($1)
- allow $1 devpts_t:dir search;
+ allow $1 devpts_t:dir search_dir_perms;
')
########################################
@@ -376,7 +375,7 @@ interface(`term_dontaudit_search_ptys',`
')
dev_dontaudit_list_all_dev_nodes($1)
- dontaudit $1 devpts_t:dir search;
+ dontaudit $1 devpts_t:dir search_dir_perms;
')
########################################
@@ -396,7 +395,7 @@ interface(`term_list_ptys',`
')
dev_list_all_dev_nodes($1)
- allow $1 devpts_t:dir r_dir_perms;
+ allow $1 devpts_t:dir list_dir_perms;
')
########################################
@@ -434,7 +433,7 @@ interface(`term_dontaudit_manage_pty_dirs',`
type devpts_t;
')
- dontaudit $1 devpts_t:dir create_dir_perms;
+ dontaudit $1 devpts_t:dir manage_dir_perms;
')
########################################
@@ -575,6 +574,7 @@ interface(`term_use_ptmx',`
type ptmx_t;
')
+ dev_list_all_dev_nodes($1)
allow $1 ptmx_t:chr_file rw_file_perms;
')
@@ -615,7 +615,7 @@ interface(`term_getattr_all_user_ptys',`
')
dev_list_all_dev_nodes($1)
- allow $1 devpts_t:dir r_dir_perms;
+ allow $1 devpts_t:dir list_dir_perms;
allow $1 ptynode:chr_file getattr;
')
@@ -657,7 +657,7 @@ interface(`term_setattr_all_user_ptys',`
')
dev_list_all_dev_nodes($1)
- allow $1 devpts_t:dir r_dir_perms;
+ allow $1 devpts_t:dir list_dir_perms;
allow $1 ptynode:chr_file setattr;
')
@@ -697,7 +697,7 @@ interface(`term_use_all_user_ptys',`
')
dev_list_all_dev_nodes($1)
- allow $1 devpts_t:dir r_dir_perms;
+ allow $1 devpts_t:dir list_dir_perms;
allow $1 ptynode:chr_file { rw_term_perms lock append };
')
@@ -738,8 +738,7 @@ interface(`term_relabel_all_user_ptys',`
')
dev_list_all_dev_nodes($1)
- allow $1 devpts_t:dir search;
- allow $1 ptynode:chr_file { relabelfrom relabelto };
+ relabel_chr_files_pattern($1,devpts_t,ptynode)
')
########################################
diff --git a/policy/modules/services/afs.te b/policy/modules/services/afs.te
index d61c92d3..6d449709 100644
--- a/policy/modules/services/afs.te
+++ b/policy/modules/services/afs.te
@@ -67,37 +67,25 @@ allow afs_bosserver_t self:udp_socket create_socket_perms;
can_exec(afs_bosserver_t,afs_bosserver_exec_t)
-allow afs_bosserver_t afs_config_t:file manage_file_perms;
-allow afs_bosserver_t afs_config_t:dir manage_dir_perms;
+manage_dirs_pattern(afs_bosserver_t,afs_config_t,afs_config_t)
+manage_files_pattern(afs_bosserver_t,afs_config_t,afs_config_t)
allow afs_bosserver_t afs_dbdir_t:dir { search read getattr };
allow afs_bosserver_t afs_fsserver_t:process signal_perms;
-domain_auto_trans(afs_bosserver_t, afs_fsserver_exec_t, afs_fsserver_t)
-allow afs_fsserver_t afs_bosserver_t:fd use;
-allow afs_fsserver_t afs_bosserver_t:fifo_file rw_file_perms;
-allow afs_fsserver_t afs_bosserver_t:process sigchld;
+domtrans_pattern(afs_bosserver_t, afs_fsserver_exec_t, afs_fsserver_t)
allow afs_bosserver_t afs_kaserver_t:process signal_perms;
-domain_auto_trans(afs_bosserver_t, afs_kaserver_exec_t, afs_kaserver_t)
-allow afs_kaserver_t afs_bosserver_t:fd use;
-allow afs_kaserver_t afs_bosserver_t:fifo_file rw_file_perms;
-allow afs_kaserver_t afs_bosserver_t:process sigchld;
+domtrans_pattern(afs_bosserver_t, afs_kaserver_exec_t, afs_kaserver_t)
-allow afs_bosserver_t afs_logfile_t:file create_file_perms;
-allow afs_bosserver_t afs_logfile_t:dir create_dir_perms;
+allow afs_bosserver_t afs_logfile_t:file manage_file_perms;
+allow afs_bosserver_t afs_logfile_t:dir manage_dir_perms;
allow afs_bosserver_t afs_ptserver_t:process signal_perms;
-domain_auto_trans(afs_bosserver_t, afs_ptserver_exec_t, afs_ptserver_t)
-allow afs_ptserver_t afs_bosserver_t:fd use;
-allow afs_ptserver_t afs_bosserver_t:fifo_file rw_file_perms;
-allow afs_ptserver_t afs_bosserver_t:process sigchld;
+domtrans_pattern(afs_bosserver_t, afs_ptserver_exec_t, afs_ptserver_t)
allow afs_bosserver_t afs_vlserver_t:process signal_perms;
-domain_auto_trans(afs_bosserver_t, afs_vlserver_exec_t, afs_vlserver_t)
-allow afs_vlserver_t afs_bosserver_t:fd use;
-allow afs_vlserver_t afs_bosserver_t:fifo_file rw_file_perms;
-allow afs_vlserver_t afs_bosserver_t:process sigchld;
+domtrans_pattern(afs_bosserver_t, afs_vlserver_exec_t, afs_vlserver_t)
kernel_read_kernel_sysctls(afs_bosserver_t)
@@ -133,29 +121,28 @@ sysnet_read_config(afs_bosserver_t)
allow afs_fsserver_t self:capability { kill dac_override chown fowner sys_nice };
dontaudit afs_fsserver_t self:capability fsetid;
allow afs_fsserver_t self:process { setsched signal_perms };
-allow afs_fsserver_t self:fifo_file rw_file_perms;
+allow afs_fsserver_t self:fifo_file rw_fifo_file_perms;
allow afs_fsserver_t self:tcp_socket create_stream_socket_perms;
allow afs_fsserver_t self:udp_socket create_socket_perms;
-allow afs_fsserver_t afs_config_t:file r_file_perms;
-allow afs_fsserver_t afs_config_t:dir r_dir_perms;
+read_files_pattern(afs_fsserver_t,afs_config_t,afs_config_t)
+allow afs_fsserver_t afs_config_t:dir list_dir_perms;
-allow afs_fsserver_t afs_config_t:file manage_file_perms;
-allow afs_fsserver_t afs_config_t:dir manage_dir_perms;
+manage_dirs_pattern(afs_fsserver_t,afs_config_t,afs_config_t)
+manage_files_pattern(afs_fsserver_t,afs_config_t,afs_config_t)
allow afs_fsserver_t afs_files_t:filesystem getattr;
-allow afs_fsserver_t afs_files_t:dir manage_dir_perms;
-allow afs_fsserver_t afs_files_t:file manage_file_perms;
-allow afs_fsserver_t afs_files_t:lnk_file create_lnk_perms;
-allow afs_fsserver_t afs_files_t:sock_file manage_file_perms;
-allow afs_fsserver_t afs_files_t:fifo_file manage_file_perms;
-type_transition afs_fsserver_t afs_config_t:{ file lnk_file sock_file fifo_file } afs_files_t;
-allow afs_fsserver_t afs_config_t:dir rw_dir_perms;
+manage_dirs_pattern(afs_fsserver_t,afs_files_t,afs_files_t)
+manage_files_pattern(afs_fsserver_t,afs_files_t,afs_files_t)
+manage_lnk_files_pattern(afs_fsserver_t,afs_files_t,afs_files_t)
+manage_fifo_files_pattern(afs_fsserver_t,afs_files_t,afs_files_t)
+manage_sock_files_pattern(afs_fsserver_t,afs_files_t,afs_files_t)
+filetrans_pattern(afs_fsserver_t,afs_config_t,afs_files_t,{ file lnk_file sock_file fifo_file })
can_exec(afs_fsserver_t, afs_fsserver_exec_t)
-allow afs_fsserver_t afs_logfile_t:file create_file_perms;
-allow afs_fsserver_t afs_logfile_t:dir create_dir_perms;
+manage_dirs_pattern(afs_fsserver_t,afs_logfile_t,afs_logfile_t)
+manage_files_pattern(afs_fsserver_t,afs_logfile_t,afs_logfile_t)
kernel_read_system_state(afs_fsserver_t)
kernel_read_kernel_sysctls(afs_fsserver_t)
@@ -209,15 +196,13 @@ allow afs_kaserver_t self:unix_stream_socket create_stream_socket_perms;
allow afs_kaserver_t self:tcp_socket create_stream_socket_perms;
allow afs_kaserver_t self:udp_socket create_socket_perms;
-allow afs_kaserver_t afs_config_t:file manage_file_perms;
-allow afs_kaserver_t afs_config_t:dir rw_dir_perms;
+manage_files_pattern(afs_kaserver_t,afs_config_t,afs_config_t)
-allow afs_kaserver_t afs_ka_db_t:file manage_file_perms;
-allow afs_kaserver_t afs_dbdir_t:dir rw_dir_perms;
-type_transition afs_kaserver_t afs_dbdir_t:file afs_ka_db_t;
+manage_files_pattern(afs_kaserver_t,afs_dbdir_t,afs_ka_db_t)
+filetrans_pattern(afs_kaserver_t,afs_dbdir_t,afs_ka_db_t,file)
-allow afs_kaserver_t afs_logfile_t:file manage_file_perms;
-allow afs_kaserver_t afs_logfile_t:dir manage_dir_perms;
+manage_dirs_pattern(afs_kaserver_t,afs_logfile_t,afs_logfile_t)
+manage_files_pattern(afs_kaserver_t,afs_logfile_t,afs_logfile_t)
kernel_read_kernel_sysctls(afs_kaserver_t)
@@ -259,15 +244,14 @@ allow afs_ptserver_t self:unix_stream_socket create_stream_socket_perms;
allow afs_ptserver_t self:tcp_socket create_stream_socket_perms;
allow afs_ptserver_t self:udp_socket create_socket_perms;
-allow afs_ptserver_t afs_config_t:file r_file_perms;
-allow afs_ptserver_t afs_config_t:dir r_dir_perms;
+read_files_pattern(afs_ptserver_t,afs_config_t,afs_config_t)
+allow afs_ptserver_t afs_config_t:dir list_dir_perms;
-allow afs_ptserver_t afs_logfile_t:file create_file_perms;
-allow afs_ptserver_t afs_logfile_t:dir create_dir_perms;
+manage_dirs_pattern(afs_ptserver_t,afs_logfile_t,afs_logfile_t)
+manage_files_pattern(afs_ptserver_t,afs_logfile_t,afs_logfile_t)
-allow afs_ptserver_t afs_pt_db_t:file manage_file_perms;
-allow afs_ptserver_t afs_dbdir_t:dir rw_dir_perms;
-type_transition afs_ptserver_t afs_dbdir_t:file afs_pt_db_t;
+manage_files_pattern(afs_ptserver_t,afs_dbdir_t,afs_pt_db_t)
+filetrans_pattern(afs_ptserver_t,afs_dbdir_t,afs_pt_db_t,file)
corenet_non_ipsec_sendrecv(afs_ptserver_t)
corenet_tcp_sendrecv_generic_if(afs_ptserver_t)
@@ -301,15 +285,14 @@ allow afs_vlserver_t self:unix_stream_socket create_stream_socket_perms;
allow afs_vlserver_t self:tcp_socket create_stream_socket_perms;
allow afs_vlserver_t self:udp_socket create_socket_perms;
-allow afs_vlserver_t afs_config_t:file r_file_perms;
-allow afs_vlserver_t afs_config_t:dir r_dir_perms;
+read_files_pattern(afs_vlserver_t,afs_config_t,afs_config_t)
+allow afs_vlserver_t afs_config_t:dir list_dir_perms;
-allow afs_vlserver_t afs_logfile_t:file create_file_perms;
-allow afs_vlserver_t afs_logfile_t:dir create_dir_perms;
+manage_dirs_pattern(afs_vlserver_t,afs_logfile_t,afs_logfile_t)
+manage_files_pattern(afs_vlserver_t,afs_logfile_t,afs_logfile_t)
-allow afs_vlserver_t afs_vl_db_t:file manage_file_perms;
-allow afs_vlserver_t afs_dbdir_t:dir rw_dir_perms;
-type_transition afs_vlserver_t afs_dbdir_t:file afs_vl_db_t;
+manage_files_pattern(afs_vlserver_t,afs_dbdir_t,afs_vl_db_t)
+filetrans_pattern(afs_vlserver_t,afs_dbdir_t,afs_vl_db_t,file)
corenet_non_ipsec_sendrecv(afs_vlserver_t)
corenet_tcp_sendrecv_generic_if(afs_vlserver_t)
diff --git a/policy/modules/services/aide.if b/policy/modules/services/aide.if
index 77233620..2e5f50d0 100644
--- a/policy/modules/services/aide.if
+++ b/policy/modules/services/aide.if
@@ -16,11 +16,7 @@ interface(`aide_domtrans',`
')
corecmd_search_sbin($1)
- domain_auto_trans($1,aide_exec_t,aide_t)
-
- allow aide_t $1:fd use;
- allow aide_t $1:fifo_file rw_file_perms;
- allow aide_t $1:process sigchld;
+ domtrans_pattern($1,aide_exec_t,aide_t)
')
@@ -51,5 +47,5 @@ interface(`aide_run',`
aide_domtrans($1)
role $2 types aide_t;
- allow aide_t $3:chr_file rw_file_perms;
+ allow aide_t $3:chr_file rw_chr_file_perms;
')
diff --git a/policy/modules/services/aide.te b/policy/modules/services/aide.te
index 620c6748..84fe2ebb 100644
--- a/policy/modules/services/aide.te
+++ b/policy/modules/services/aide.te
@@ -25,17 +25,15 @@ files_type(aide_db_t)
#
allow aide_t self:capability { dac_override fowner };
-# audit
-allow aide_t self:capability audit_write;
-allow aide_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+
+send_audit_msgs_pattern(aide_t)
# database actions
-allow aide_t aide_db_t:dir rw_dir_perms;
-allow aide_t aide_db_t:file manage_file_perms;
+manage_files_pattern(aide_t,aide_db_t,aide_db_t)
# logs
-logging_log_filetrans(aide_t,aide_log_t,file)
allow aide_t aide_log_t:file manage_file_perms;
+logging_log_filetrans(aide_t,aide_log_t,file)
files_read_all_files(aide_t)
diff --git a/policy/modules/services/amavis.if b/policy/modules/services/amavis.if
index f2368994..41fa0b47 100644
--- a/policy/modules/services/amavis.if
+++ b/policy/modules/services/amavis.if
@@ -18,12 +18,7 @@ interface(`amavis_domtrans',`
type amavis_t, amavis_exec_t;
')
- domain_auto_trans($1,amavis_exec_t,amavis_t)
-
- allow $1 amavis_t:fd use;
- allow amavis_t $1:fd use;
- allow amavis_t $1:fifo_file rw_file_perms;
- allow amavis_t $1:process sigchld;
+ domtrans_pattern($1,amavis_exec_t,amavis_t)
')
########################################
@@ -61,8 +56,8 @@ interface(`amavis_manage_spool_files',`
')
files_search_spool($1)
- allow $1 amavis_spool_t:dir manage_dir_perms;
- allow $1 amavis_spool_t:file manage_file_perms;
+ manage_dirs_pattern($1,amavis_spool_t,amavis_spool_t)
+ manage_files_pattern($1,amavis_spool_t,amavis_spool_t)
')
########################################
@@ -92,8 +87,7 @@ interface(`amavis_spool_filetrans',`
')
files_search_spool($1)
- allow $1 amavis_spool_t:dir rw_dir_perms;
- type_transition $1 amavis_spool_t:$3 $2;
+ filetrans_pattern($1,amavis_spool_t,$2,$3)
')
########################################
@@ -130,7 +124,7 @@ interface(`amavis_read_lib_files',`
type amavis_var_lib_t;
')
- allow $1 amavis_var_lib_t:file r_file_perms;
+ read_files_pattern($1,amavis_var_lib_t,amavis_var_lib_t)
allow $1 amavis_var_lib_t:dir list_dir_perms;
files_search_var_lib($1)
')
@@ -151,8 +145,7 @@ interface(`amavis_manage_lib_files',`
type amavis_var_lib_t;
')
- allow $1 amavis_var_lib_t:file manage_file_perms;
- allow $1 amavis_var_lib_t:dir rw_dir_perms;
+ manage_files_pattern($1,amavis_var_lib_t,amavis_var_lib_t)
files_search_var_lib($1)
')
diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te
index c26c5d3e..ef89f9b7 100644
--- a/policy/modules/services/amavis.te
+++ b/policy/modules/services/amavis.te
@@ -46,48 +46,47 @@ files_type(amavis_spool_t)
allow amavis_t self:capability { kill chown dac_override setgid setuid };
dontaudit amavis_t self:capability sys_tty_config;
allow amavis_t self:process { signal sigchld signull };
-allow amavis_t self:fifo_file rw_file_perms;
+allow amavis_t self:fifo_file rw_fifo_file_perms;
allow amavis_t self:unix_stream_socket create_stream_socket_perms;
allow amavis_t self:unix_dgram_socket create_socket_perms;
allow amavis_t self:tcp_socket { listen accept };
# configuration files
-allow amavis_t amavis_etc_t:dir r_dir_perms;
-allow amavis_t amavis_etc_t:file r_file_perms;
-allow amavis_t amavis_etc_t:lnk_file { getattr read };
+allow amavis_t amavis_etc_t:dir list_dir_perms;
+read_files_pattern(amavis_t,amavis_etc_t,amavis_etc_t)
+read_lnk_files_pattern(amavis_t,amavis_etc_t,amavis_etc_t)
# mail quarantine
-allow amavis_t amavis_quarantine_t:file create_file_perms;
-allow amavis_t amavis_quarantine_t:sock_file create_file_perms;
-allow amavis_t amavis_quarantine_t:dir create_dir_perms;
+manage_dirs_pattern(amavis_t,amavis_quarantine_t,amavis_quarantine_t)
+manage_files_pattern(amavis_t,amavis_quarantine_t,amavis_quarantine_t)
+manage_sock_files_pattern(amavis_t,amavis_quarantine_t,amavis_quarantine_t)
# Spool Files
+manage_dirs_pattern(amavis_t,amavis_spool_t,amavis_spool_t)
+manage_files_pattern(amavis_t,amavis_spool_t,amavis_spool_t)
+manage_sock_files_pattern(amavis_t,amavis_spool_t,amavis_spool_t)
+filetrans_pattern(amavis_t,amavis_spool_t,amavis_var_run_t,sock_file)
files_search_spool(amavis_t)
-allow amavis_t amavis_spool_t:dir manage_dir_perms;
-allow amavis_t amavis_spool_t:file manage_file_perms;
-allow amavis_t amavis_spool_t:sock_file manage_file_perms;
-type_transition amavis_t amavis_spool_t:sock_file amavis_var_run_t;
# tmp files
-allow amavis_t amavis_tmp_t:file create_file_perms;
-allow amavis_t amavis_tmp_t:dir { rw_dir_perms setattr };
+manage_files_pattern(amavis_t,amavis_tmp_t,amavis_tmp_t)
+allow amavis_t amavis_tmp_t:dir setattr;
files_tmp_filetrans(amavis_t,amavis_tmp_t,file)
# var/lib files for amavis
-allow amavis_t amavis_var_lib_t:file create_file_perms;
-allow amavis_t amavis_var_lib_t:sock_file create_file_perms;
-allow amavis_t amavis_var_lib_t:dir create_dir_perms;
+manage_dirs_pattern(amavis_t,amavis_var_lib_t,amavis_var_lib_t)
+manage_files_pattern(amavis_t,amavis_var_lib_t,amavis_var_lib_t)
+manage_sock_files_pattern(amavis_t,amavis_var_lib_t,amavis_var_lib_t)
# log files
-allow amavis_t amavis_var_log_t:file create_file_perms;
-allow amavis_t amavis_var_log_t:sock_file create_file_perms;
-allow amavis_t amavis_var_log_t:dir { rw_dir_perms setattr };
+allow amavis_t amavis_var_log_t:dir setattr;
+manage_files_pattern(amavis_t,amavis_var_log_t,amavis_var_log_t)
+manage_sock_files_pattern(amavis_t,amavis_var_log_t,amavis_var_log_t)
logging_log_filetrans(amavis_t,amavis_var_log_t,{ sock_file file dir })
# pid file
-allow amavis_t amavis_var_run_t:file manage_file_perms;
-allow amavis_t amavis_var_run_t:sock_file manage_file_perms;
-allow amavis_t amavis_var_run_t:dir rw_dir_perms;
+manage_files_pattern(amavis_t,amavis_var_run_t,amavis_var_run_t)
+manage_sock_files_pattern(amavis_t,amavis_var_run_t,amavis_var_run_t)
files_pid_filetrans(amavis_t,amavis_var_run_t, { file sock_file })
kernel_read_kernel_sysctls(amavis_t)
diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
index 76f9dfaf..5b389022 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@@ -51,15 +51,11 @@ template(`apache_content_template',`
type httpd_$1_script_ra_t, httpdcontent; # customizable
files_type(httpd_$1_script_ra_t)
- allow httpd_t httpd_$1_htaccess_t:file r_file_perms;
+ allow httpd_t httpd_$1_htaccess_t:file read_file_perms;
- domain_auto_trans(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)
- allow httpd_suexec_t httpd_$1_script_t:fd use;
- allow httpd_$1_script_t httpd_suexec_t:fd use;
- allow httpd_$1_script_t httpd_suexec_t:fifo_file rw_file_perms;
- allow httpd_$1_script_t httpd_suexec_t:process sigchld;
+ domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)
- allow httpd_suexec_t { httpd_$1_content_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_exec_t }:dir { getattr search };
+ allow httpd_suexec_t { httpd_$1_content_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_exec_t }:dir search_dir_perms;
allow httpd_$1_script_t self:fifo_file rw_file_perms;
allow httpd_$1_script_t self:unix_stream_socket connectto;
@@ -69,28 +65,28 @@ template(`apache_content_template',`
dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write };
# Allow the script process to search the cgi directory, and users directory
- allow httpd_$1_script_t httpd_$1_content_t:dir { getattr search };
+ allow httpd_$1_script_t httpd_$1_content_t:dir search_dir_perms;
- allow httpd_$1_script_t httpd_log_t:file { getattr append };
- allow httpd_$1_script_t httpd_log_t:dir search;
+ append_files_pattern(httpd_$1_script_t,httpd_log_t,httpd_log_t)
logging_search_logs(httpd_$1_script_t)
can_exec(httpd_$1_script_t, httpd_$1_script_exec_t)
- allow httpd_$1_script_t httpd_$1_script_exec_t:dir { search getattr };
+ allow httpd_$1_script_t httpd_$1_script_exec_t:dir search_dir_perms;
- allow httpd_$1_script_t httpd_$1_script_ra_t:dir ra_dir_perms;
- allow httpd_$1_script_t httpd_$1_script_ra_t:file ra_file_perms;
- allow httpd_$1_script_t httpd_$1_script_ra_t:lnk_file { getattr read };
+ allow httpd_$1_script_t httpd_$1_script_ra_t:dir { list_dir_perms add_entry_dir_perms };
+ read_files_pattern(httpd_$1_script_t,httpd_$1_script_ra_t,httpd_$1_script_ra_t)
+ append_files_pattern(httpd_$1_script_t,httpd_$1_script_ra_t,httpd_$1_script_ra_t)
+ read_lnk_files_pattern(httpd_$1_script_t,httpd_$1_script_ra_t,httpd_$1_script_ra_t)
- allow httpd_$1_script_t httpd_$1_script_ro_t:dir { getattr read search };
- allow httpd_$1_script_t httpd_$1_script_ro_t:file { read getattr };
- allow httpd_$1_script_t httpd_$1_script_ro_t:lnk_file { getattr read };
+ allow httpd_$1_script_t httpd_$1_script_ro_t:dir list_dir_perms;
+ read_files_pattern(httpd_$1_script_t,httpd_$1_script_ro_t,httpd_$1_script_ro_t)
+ read_lnk_files_pattern(httpd_$1_script_t,httpd_$1_script_ro_t,httpd_$1_script_ro_t)
- allow httpd_$1_script_t httpd_$1_script_rw_t:dir create_dir_perms;
- allow httpd_$1_script_t httpd_$1_script_rw_t:file create_file_perms;
- allow httpd_$1_script_t httpd_$1_script_rw_t:lnk_file create_lnk_perms;
- allow httpd_$1_script_t httpd_$1_script_rw_t:sock_file create_file_perms;
- allow httpd_$1_script_t httpd_$1_script_rw_t:fifo_file create_file_perms;
+ manage_dirs_pattern(httpd_$1_script_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
+ manage_files_pattern(httpd_$1_script_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
+ manage_lnk_files_pattern(httpd_$1_script_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
+ manage_fifo_files_pattern(httpd_$1_script_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
+ manage_sock_files_pattern(httpd_$1_script_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
files_tmp_filetrans(httpd_$1_script_t,httpd_$1_script_rw_t,{ dir file lnk_file sock_file fifo_file })
kernel_dontaudit_search_sysctl(httpd_$1_script_t)
@@ -117,9 +113,10 @@ template(`apache_content_template',`
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_$1_script_t httpdcontent:file entrypoint;
- allow httpd_$1_script_t httpdcontent:dir create_dir_perms;
- allow httpd_$1_script_t httpdcontent:file create_file_perms;
- allow httpd_$1_script_t httpdcontent:lnk_file create_lnk_perms;
+
+ manage_dirs_pattern(httpd_$1_script_t,httpdcontent,httpdcontent)
+ manage_files_pattern(httpd_$1_script_t,httpdcontent,httpdcontent)
+ manage_lnk_files_pattern(httpd_$1_script_t,httpdcontent,httpdcontent)
can_exec(httpd_$1_script_t, httpdcontent)
')
@@ -129,44 +126,36 @@ template(`apache_content_template',`
# Allow the web server to run scripts and serve pages
tunable_policy(`httpd_builtin_scripting',`
- allow httpd_t httpd_$1_script_rw_t:dir create_dir_perms;
- allow httpd_t httpd_$1_script_rw_t:file create_file_perms;
- allow httpd_t httpd_$1_script_rw_t:lnk_file create_lnk_perms;
- allow httpd_t httpd_$1_script_rw_t:sock_file rw_file_perms;
+ manage_dirs_pattern(httpd_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
+ manage_files_pattern(httpd_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
+ manage_lnk_files_pattern(httpd_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
+ rw_sock_files_pattern(httpd_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
- allow httpd_t httpd_$1_script_ra_t:dir ra_dir_perms;
- allow httpd_t httpd_$1_script_ra_t:file ra_file_perms;
- allow httpd_t httpd_$1_script_ra_t:lnk_file { getattr read };
+ allow httpd_t httpd_$1_script_ra_t:dir { list_dir_perms add_entry_dir_perms };
+ read_files_pattern(httpd_t,httpd_$1_script_ra_t,httpd_$1_script_ra_t)
+ append_files_pattern(httpd_t,httpd_$1_script_ra_t,httpd_$1_script_ra_t)
+ read_lnk_files_pattern(httpd_t,httpd_$1_script_ra_t,httpd_$1_script_ra_t)
- allow httpd_t httpd_$1_script_ro_t:dir r_dir_perms;
- allow httpd_t httpd_$1_script_ro_t:file r_file_perms;
- allow httpd_t httpd_$1_script_ro_t:lnk_file { getattr read };
+ allow httpd_t httpd_$1_script_ro_t:dir list_dir_perms;
+ read_files_pattern(httpd_t,httpd_$1_script_ro_t,httpd_$1_script_ro_t)
+ read_lnk_files_pattern(httpd_t,httpd_$1_script_ro_t,httpd_$1_script_ro_t)
- allow httpd_t httpd_$1_content_t:dir r_dir_perms;
- allow httpd_t httpd_$1_content_t:file r_file_perms;
- allow httpd_t httpd_$1_content_t:lnk_file { getattr read };
+ allow httpd_t httpd_$1_content_t:dir list_dir_perms;
+ read_files_pattern(httpd_t,httpd_$1_content_t,httpd_$1_content_t)
+ read_lnk_files_pattern(httpd_t,httpd_$1_content_t,httpd_$1_content_t)
')
tunable_policy(`httpd_enable_cgi',`
allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint;
# privileged users run the script:
- domain_auto_trans(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t)
- allow httpd_exec_scripts httpd_$1_script_t:fd use;
- allow httpd_$1_script_t httpd_exec_scripts:fd use;
- allow httpd_$1_script_t httpd_exec_scripts:fifo_file rw_file_perms;
- allow httpd_$1_script_t httpd_exec_scripts:process sigchld;
+ domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t)
# apache runs the script:
- domain_auto_trans(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)
- allow httpd_t httpd_$1_script_t:fd use;
- allow httpd_$1_script_t httpd_t:fd use;
- allow httpd_$1_script_t httpd_t:fifo_file rw_file_perms;
- allow httpd_$1_script_t httpd_t:process sigchld;
+ domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)
allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop };
- allow httpd_t httpd_$1_script_exec_t:dir r_dir_perms;
- allow httpd_t httpd_$1_script_exec_t:file r_file_perms;
+ allow httpd_t httpd_$1_script_exec_t:dir list_dir_perms;
allow httpd_$1_script_t self:process { setsched signal_perms };
allow httpd_$1_script_t self:unix_stream_socket create_stream_socket_perms;
@@ -287,45 +276,45 @@ template(`apache_per_role_template', `
allow $2 httpd_$1_content_t:{ dir file lnk_file } { relabelto relabelfrom };
- allow $2 httpd_$1_htaccess_t:file { create_file_perms relabelto relabelfrom };
+ allow $2 httpd_$1_htaccess_t:file { manage_file_perms relabelto relabelfrom };
- allow $2 httpd_$1_script_ra_t:lnk_file { create_lnk_perms relabelto relabelfrom };
- allow $2 httpd_$1_script_ra_t:dir { create_dir_perms relabelto relabelfrom };
- allow $2 httpd_$1_script_ra_t:file { create_file_perms relabelto relabelfrom };
+ manage_dirs_pattern($2,httpd_$1_script_ra_t,httpd_$1_script_ra_t)
+ manage_files_pattern($2,httpd_$1_script_ra_t,httpd_$1_script_ra_t)
+ manage_lnk_files_pattern($2,httpd_$1_script_ra_t,httpd_$1_script_ra_t)
+ relabel_dirs_pattern($2,httpd_$1_script_ra_t,httpd_$1_script_ra_t)
+ relabel_files_pattern($2,httpd_$1_script_ra_t,httpd_$1_script_ra_t)
+ relabel_lnk_files_pattern($2,httpd_$1_script_ra_t,httpd_$1_script_ra_t)
- allow $2 httpd_$1_script_ro_t:lnk_file { create_lnk_perms relabelto relabelfrom };
- allow $2 httpd_$1_script_ro_t:dir { create_dir_perms relabelto relabelfrom };
- allow $2 httpd_$1_script_ro_t:file { create_file_perms relabelto relabelfrom };
+ manage_dirs_pattern($2,httpd_$1_script_ro_t,httpd_$1_script_ro_t)
+ manage_files_pattern($2,httpd_$1_script_ro_t,httpd_$1_script_ro_t)
+ manage_lnk_files_pattern($2,httpd_$1_script_ro_t,httpd_$1_script_ro_t)
+ relabel_dirs_pattern($2,httpd_$1_script_ro_t,httpd_$1_script_ro_t)
+ relabel_files_pattern($2,httpd_$1_script_ro_t,httpd_$1_script_ro_t)
+ relabel_lnk_files_pattern($2,httpd_$1_script_ro_t,httpd_$1_script_ro_t)
- allow $2 httpd_$1_script_rw_t:lnk_file { create_lnk_perms relabelto relabelfrom };
- allow $2 httpd_$1_script_rw_t:dir { create_dir_perms relabelto relabelfrom };
- allow $2 httpd_$1_script_rw_t:file { create_file_perms relabelto relabelfrom };
+ manage_dirs_pattern($2,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
+ manage_files_pattern($2,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
+ manage_lnk_files_pattern($2,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
+ relabel_dirs_pattern($2,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
+ relabel_files_pattern($2,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
+ relabel_lnk_files_pattern($2,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
- allow $2 httpd_$1_script_exec_t:dir create_dir_perms;
- allow $2 httpd_$1_script_exec_t:file create_file_perms;
- allow $2 httpd_$1_script_exec_t:lnk_file create_lnk_perms;
-
- allow $2 httpd_$1_script_exec_t:dir { create_dir_perms relabelto relabelfrom };
- allow $2 httpd_$1_script_exec_t:file { create_file_perms relabelto relabelfrom };
- allow $2 httpd_$1_script_exec_t:lnk_file { create_lnk_perms relabelto relabelfrom };
+ manage_dirs_pattern($2,httpd_$1_script_exec_t,httpd_$1_script_exec_t)
+ manage_files_pattern($2,httpd_$1_script_exec_t,httpd_$1_script_exec_t)
+ manage_lnk_files_pattern($2,httpd_$1_script_exec_t,httpd_$1_script_exec_t)
+ relabel_dirs_pattern($2,httpd_$1_script_exec_t,httpd_$1_script_exec_t)
+ relabel_files_pattern($2,httpd_$1_script_exec_t,httpd_$1_script_exec_t)
+ relabel_lnk_files_pattern($2,httpd_$1_script_exec_t,httpd_$1_script_exec_t)
tunable_policy(`httpd_enable_cgi',`
# If a user starts a script by hand it gets the proper context
- domain_auto_trans($2, httpd_$1_script_exec_t, httpd_$1_script_t)
- allow $2 httpd_$1_script_t:fd use;
- allow httpd_$1_script_t $2:fd use;
- allow httpd_$1_script_t $2:fifo_file rw_file_perms;
- allow httpd_$1_script_t $2:process sigchld;
+ domtrans_pattern($2, httpd_$1_script_exec_t, httpd_$1_script_t)
')
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_$1_script_t httpdcontent:file entrypoint;
- domain_auto_trans($2, httpdcontent, httpd_$1_script_t)
- allow $2 httpd_$1_script_t:fd use;
- allow httpd_$1_script_t $2:fd use;
- allow httpd_$1_script_t $2:fifo_file rw_file_perms;
- allow httpd_$1_script_t $2:process sigchld;
+ domtrans_pattern($2, httpdcontent, httpd_$1_script_t)
')
# allow accessing files/dirs below the users home dir
@@ -357,9 +346,9 @@ template(`apache_read_user_scripts',`
type httpd_$1_script_exec_t;
')
- allow $2 httpd_$1_script_exec_t:dir r_dir_perms;
- allow $2 httpd_$1_script_exec_t:file r_file_perms;
- allow $2 httpd_$1_script_exec_t:lnk_file { getattr read };
+ allow $2 httpd_$1_script_exec_t:dir list_dir_perms;
+ read_files_pattern($2,httpd_$1_script_exec_t,httpd_$1_script_exec_t)
+ read_lnk_files_pattern($2,httpd_$1_script_exec_t,httpd_$1_script_exec_t)
')
########################################
@@ -383,9 +372,9 @@ template(`apache_read_user_content',`
type httpd_$1_content_t;
')
- allow $2 httpd_$1_content_t:dir r_dir_perms;
- allow $2 httpd_$1_content_t:file r_file_perms;
- allow $2 httpd_$1_content_t:lnk_file { getattr read };
+ allow $2 httpd_$1_content_t:dir list_dir_perms;
+ read_files_pattern($2,httpd_$1_content_t,httpd_$1_content_t)
+ read_lnk_files_pattern($2,httpd_$1_content_t,httpd_$1_content_t)
')
########################################
@@ -404,12 +393,7 @@ interface(`apache_domtrans',`
')
corecmd_search_sbin($1)
- domain_auto_trans($1,httpd_exec_t,httpd_t)
-
- allow $1 httpd_t:fd use;
- allow httpd_t $1:fd use;
- allow httpd_t $1:fifo_file rw_file_perms;
- allow httpd_t $1:process sigchld;
+ domtrans_pattern($1,httpd_exec_t,httpd_t)
')
########################################
@@ -520,14 +504,13 @@ interface(`apache_manage_all_content',`
attribute httpdcontent, httpd_script_exec_type;
')
- allow $1 httpdcontent:dir manage_dir_perms;
- allow $1 httpdcontent:file manage_file_perms;
- allow $1 httpdcontent:lnk_file create_lnk_perms;
-
- allow $1 httpd_script_exec_type:dir manage_dir_perms;
- allow $1 httpd_script_exec_type:file manage_file_perms;
- allow $1 httpd_script_exec_type:lnk_file create_lnk_perms;
+ manage_dirs_pattern($1,httpdcontent,httpdcontent)
+ manage_files_pattern($1,httpdcontent,httpdcontent)
+ manage_lnk_files_pattern($1,httpdcontent,httpdcontent)
+ manage_dirs_pattern($1,httpd_script_exec_type,httpd_script_exec_type)
+ manage_files_pattern($1,httpd_script_exec_type,httpd_script_exec_type)
+ manage_lnk_files_pattern($1,httpd_script_exec_type,httpd_script_exec_type)
')
########################################
@@ -567,9 +550,9 @@ interface(`apache_read_config',`
')
files_search_etc($1)
- allow $1 httpd_config_t:dir r_dir_perms;
- allow $1 httpd_config_t:file r_file_perms;
- allow $1 httpd_config_t:lnk_file { getattr read };
+ allow $1 httpd_config_t:dir list_dir_perms;
+ read_files_pattern($1,httpd_config_t,httpd_config_t)
+ read_lnk_files_pattern($1,httpd_config_t,httpd_config_t)
')
########################################
@@ -589,9 +572,9 @@ interface(`apache_manage_config',`
')
files_search_etc($1)
- allow $1 httpd_config_t:dir manage_dir_perms;
- allow $1 httpd_config_t:file manage_file_perms;
- allow $1 httpd_config_t:lnk_file { getattr read };
+ manage_dirs_pattern($1,httpd_config_t,httpd_config_t)
+ manage_files_pattern($1,httpd_config_t,httpd_config_t)
+ read_lnk_files_pattern($1,httpd_config_t,httpd_config_t)
')
########################################
@@ -611,12 +594,7 @@ interface(`apache_domtrans_helper',`
')
corecmd_search_sbin($1)
- domain_auto_trans($1,httpd_helper_exec_t,httpd_helper_t)
-
- allow $1 httpd_helper_t:fd use;
- allow httpd_helper_t $1:fd use;
- allow httpd_helper_t $1:fifo_file rw_file_perms;
- allow httpd_helper_t $1:process sigchld;
+ domtrans_pattern($1,httpd_helper_exec_t,httpd_helper_t)
')
########################################
@@ -670,9 +648,9 @@ interface(`apache_read_log',`
')
logging_search_logs($1)
- allow $1 httpd_log_t:dir r_dir_perms;
- allow $1 httpd_log_t:file r_file_perms;
- allow $1 httpd_log_t:lnk_file { getattr read };
+ allow $1 httpd_log_t:dir list_dir_perms;
+ read_files_pattern($1,httpd_log_t,httpd_log_t)
+ read_lnk_files_pattern($1,httpd_log_t,httpd_log_t)
')
########################################
@@ -692,8 +670,8 @@ interface(`apache_append_log',`
')
logging_search_logs($1)
- allow $1 httpd_log_t:dir r_dir_perms;
- allow $1 httpd_log_t:file append;
+ allow $1 httpd_log_t:dir list_dir_perms;
+ append_files_pattern($1,httpd_log_t,httpd_log_t)
')
########################################
@@ -732,9 +710,9 @@ interface(`apache_manage_log',`
')
logging_search_logs($1)
- allow $1 httpd_log_t:dir manage_dir_perms;
- allow $1 httpd_log_t:file manage_file_perms;
- allow $1 httpd_log_t:lnk_file { getattr read };
+ manage_dirs_pattern($1,httpd_log_t,httpd_log_t)
+ manage_files_pattern($1,httpd_log_t,httpd_log_t)
+ read_lnk_files_pattern($1,httpd_log_t,httpd_log_t)
')
########################################
@@ -773,7 +751,7 @@ interface(`apache_list_modules',`
type httpd_modules_t;
')
- allow $1 httpd_modules_t:dir r_dir_perms;
+ allow $1 httpd_modules_t:dir list_dir_perms;
')
########################################
@@ -792,8 +770,8 @@ interface(`apache_exec_modules',`
type httpd_modules_t;
')
- allow $1 httpd_modules_t:dir r_dir_perms;
- allow $1 httpd_modules_t:lnk_file r_file_perms;
+ allow $1 httpd_modules_t:dir list_dir_perms;
+ allow $1 httpd_modules_t:lnk_file read_file_perms;
can_exec($1,httpd_modules_t)
')
@@ -812,11 +790,7 @@ interface(`apache_domtrans_rotatelogs',`
type httpd_rotatelogs_t, httpd_rotatelogs_exec_t;
')
- domain_auto_trans($1,httpd_rotatelogs_exec_t,httpd_rotatelogs_t)
-
- allow httpd_rotatelogs_t $1:fd use;
- allow httpd_rotatelogs_t $1:fifo_file rw_file_perms;
- allow httpd_rotatelogs_t $1:process sigchld;
+ domtrans_pattern($1,httpd_rotatelogs_exec_t,httpd_rotatelogs_t)
')
########################################
@@ -838,9 +812,9 @@ interface(`apache_manage_sys_content',`
')
files_search_var($1)
- allow $1 httpd_sys_content_t:dir create_dir_perms;
- allow $1 httpd_sys_content_t:file create_file_perms;
- allow $1 httpd_sys_content_t:lnk_file create_lnk_perms;
+ manage_dirs_pattern($1,httpd_sys_content_t,httpd_sys_content_t)
+ manage_files_pattern($1,httpd_sys_content_t,httpd_sys_content_t)
+ manage_lnk_files_pattern($1,httpd_sys_content_t,httpd_sys_content_t)
')
########################################
@@ -863,12 +837,7 @@ interface(`apache_domtrans_sys_script',`
')
tunable_policy(`httpd_enable_cgi && httpd_unified',`
- domain_auto_trans($1, httpdcontent, httpd_sys_script_t)
-
- allow $1 httpd_sys_script_t:fd use;
- allow httpd_sys_script_t $1:fd use;
- allow httpd_sys_script_t $1:fifo_file rw_file_perms;
- allow httpd_sys_script_t $1:process sigchld;
+ domtrans_pattern($1, httpdcontent, httpd_sys_script_t)
')
')
@@ -1009,9 +978,9 @@ interface(`apache_read_sys_content',`
type httpd_sys_content_t;
')
- allow $1 httpd_sys_content_t:dir r_dir_perms;
- allow $1 httpd_sys_content_t:file { getattr read };
- allow $1 httpd_sys_content_t:lnk_file { getattr read };
+ allow $1 httpd_sys_content_t:dir list_dir_perms;
+ read_files_pattern($1,httpd_sys_content_t,httpd_sys_content_t)
+ read_lnk_files_pattern($1,httpd_sys_content_t,httpd_sys_content_t)
')
########################################
@@ -1029,5 +998,5 @@ interface(`apache_search_sys_script_state',`
type httpd_sys_script_t;
')
- allow $1 httpd_sys_script_t:dir search;
+ allow $1 httpd_sys_script_t:dir search_dir_perms;
')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
index a041e6ee..b3aa4979 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -133,8 +133,8 @@ allow httpd_t self:capability { chown dac_override kill setgid setuid sys_tty_co
dontaudit httpd_t self:capability { net_admin sys_tty_config };
allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow httpd_t self:fd use;
-allow httpd_t self:sock_file r_file_perms;
-allow httpd_t self:fifo_file rw_file_perms;
+allow httpd_t self:sock_file read_sock_file_perms;
+allow httpd_t self:fifo_file rw_fifo_file_perms;
allow httpd_t self:shm create_shm_perms;
allow httpd_t self:sem create_sem_perms;
allow httpd_t self:msgq create_msgq_perms;
@@ -145,68 +145,68 @@ allow httpd_t self:tcp_socket create_stream_socket_perms;
allow httpd_t self:udp_socket create_socket_perms;
# Allow httpd_t to put files in /var/cache/httpd etc
-allow httpd_t httpd_cache_t:dir create_dir_perms;
-allow httpd_t httpd_cache_t:file create_file_perms;
-allow httpd_t httpd_cache_t:lnk_file create_lnk_perms;
+manage_dirs_pattern(httpd_t,httpd_cache_t,httpd_cache_t)
+manage_files_pattern(httpd_t,httpd_cache_t,httpd_cache_t)
+manage_lnk_files_pattern(httpd_t,httpd_cache_t,httpd_cache_t)
# Allow the httpd_t to read the web servers config files
-allow httpd_t httpd_config_t:dir r_dir_perms;
-allow httpd_t httpd_config_t:file r_file_perms;
-allow httpd_t httpd_config_t:lnk_file { getattr read };
+allow httpd_t httpd_config_t:dir list_dir_perms;
+read_files_pattern(httpd_t,httpd_config_t,httpd_config_t)
+read_lnk_files_pattern(httpd_t,httpd_config_t,httpd_config_t)
can_exec(httpd_t, httpd_exec_t)
-allow httpd_t httpd_lock_t:file create_file_perms;
+allow httpd_t httpd_lock_t:file manage_file_perms;
files_lock_filetrans(httpd_t,httpd_lock_t,file)
-allow httpd_t httpd_log_t:dir { setattr rw_dir_perms };
-allow httpd_t httpd_log_t:file { create ra_file_perms };
-allow httpd_t httpd_log_t:lnk_file read;
+allow httpd_t httpd_log_t:dir setattr;
+create_files_pattern(httpd_t,httpd_log_t,httpd_log_t)
+append_files_pattern(httpd_t,httpd_log_t,httpd_log_t)
+read_files_pattern(httpd_t,httpd_log_t,httpd_log_t)
+read_lnk_files_pattern(httpd_t,httpd_log_t,httpd_log_t)
# cjp: need to refine create interfaces to
# cut this back to add_name only
logging_log_filetrans(httpd_t,httpd_log_t,file)
-allow httpd_t httpd_modules_t:file rx_file_perms;
-allow httpd_t httpd_modules_t:dir r_dir_perms;
-allow httpd_t httpd_modules_t:lnk_file r_file_perms;
+allow httpd_t httpd_modules_t:dir list_dir_perms;
+mmap_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t)
+read_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t)
apache_domtrans_rotatelogs(httpd_t)
# Apache-httpd needs to be able to send signals to the log rotate procs.
allow httpd_t httpd_rotatelogs_t:process signal_perms;
-allow httpd_t httpd_squirrelmail_t:dir create_dir_perms;
-allow httpd_t httpd_squirrelmail_t:lnk_file create_lnk_perms;
-allow httpd_t httpd_squirrelmail_t:file create_file_perms;
+manage_dirs_pattern(httpd_t,httpd_squirrelmail_t,httpd_squirrelmail_t)
+manage_files_pattern(httpd_t,httpd_squirrelmail_t,httpd_squirrelmail_t)
+manage_lnk_files_pattern(httpd_t,httpd_squirrelmail_t,httpd_squirrelmail_t)
allow httpd_t httpd_suexec_exec_t:file { getattr read };
-allow httpd_t httpd_sys_content_t:dir r_dir_perms;
-allow httpd_t httpd_sys_content_t:file r_file_perms;
-allow httpd_t httpd_sys_content_t:lnk_file r_file_perms;
+allow httpd_t httpd_sys_content_t:dir list_dir_perms;
+read_files_pattern(httpd_t,httpd_sys_content_t,httpd_sys_content_t)
+read_lnk_files_pattern(httpd_t,httpd_sys_content_t,httpd_sys_content_t)
-allow httpd_t httpd_tmp_t:dir create_dir_perms;
-allow httpd_t httpd_tmp_t:file create_file_perms;
+manage_dirs_pattern(httpd_t,httpd_tmp_t,httpd_tmp_t)
+manage_files_pattern(httpd_t,httpd_tmp_t,httpd_tmp_t)
files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir })
-allow httpd_t httpd_tmpfs_t:dir create_dir_perms;
-allow httpd_t httpd_tmpfs_t:file create_file_perms;
-allow httpd_t httpd_tmpfs_t:lnk_file create_lnk_perms;
-allow httpd_t httpd_tmpfs_t:sock_file create_file_perms;
-allow httpd_t httpd_tmpfs_t:fifo_file create_file_perms;
+manage_dirs_pattern(httpd_t,httpd_tmpfs_t,httpd_tmpfs_t)
+manage_files_pattern(httpd_t,httpd_tmpfs_t,httpd_tmpfs_t)
+manage_lnk_files_pattern(httpd_t,httpd_tmpfs_t,httpd_tmpfs_t)
+manage_fifo_files_pattern(httpd_t,httpd_tmpfs_t,httpd_tmpfs_t)
+manage_sock_files_pattern(httpd_t,httpd_tmpfs_t,httpd_tmpfs_t)
fs_tmpfs_filetrans(httpd_t,httpd_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
-allow httpd_t httpd_var_lib_t:file create_file_perms;
-allow httpd_t httpd_var_lib_t:dir rw_dir_perms;
+manage_files_pattern(httpd_t,httpd_var_lib_t,httpd_var_lib_t)
files_var_lib_filetrans(httpd_t,httpd_var_lib_t,file)
-allow httpd_t httpd_var_run_t:file create_file_perms;
-allow httpd_t httpd_var_run_t:sock_file create_file_perms;
-allow httpd_t httpd_var_run_t:dir rw_dir_perms;
+manage_files_pattern(httpd_t,httpd_var_run_t,httpd_var_run_t)
+manage_sock_files_pattern(httpd_t,httpd_var_run_t,httpd_var_run_t)
files_pid_filetrans(httpd_t,httpd_var_run_t, { file sock_file })
-allow httpd_t squirrelmail_spool_t:dir create_dir_perms;
-allow httpd_t squirrelmail_spool_t:file create_file_perms;
-allow httpd_t squirrelmail_spool_t:lnk_file create_lnk_perms;
+manage_dirs_pattern(httpd_t,squirrelmail_spool_t,squirrelmail_spool_t)
+manage_files_pattern(httpd_t,squirrelmail_spool_t,squirrelmail_spool_t)
+manage_lnk_files_pattern(httpd_t,squirrelmail_spool_t,squirrelmail_spool_t)
kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
@@ -330,26 +330,18 @@ tunable_policy(`httpd_can_network_relay',`
')
tunable_policy(`httpd_enable_cgi',`
- domain_auto_trans(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
- allow httpd_t httpd_unconfined_script_t:fd use;
- allow httpd_unconfined_script_t httpd_t:fd use;
- allow httpd_unconfined_script_t httpd_t:fifo_file rw_file_perms;
- allow httpd_unconfined_script_t httpd_t:process sigchld;
+ domtrans_pattern(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
allow httpd_t httpd_unconfined_script_t:process { signal sigkill sigstop };
- allow httpd_t httpd_unconfined_script_exec_t:dir r_dir_perms;
+ allow httpd_t httpd_unconfined_script_exec_t:dir list_dir_perms;
')
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
- domain_auto_trans(httpd_t, httpdcontent, httpd_sys_script_t)
- allow httpd_t httpd_sys_script_t:fd use;
- allow httpd_sys_script_t httpd_t:fd use;
- allow httpd_sys_script_t httpd_t:fifo_file rw_file_perms;
- allow httpd_sys_script_t httpd_t:process sigchld;
+ domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
- allow httpd_t httpdcontent:dir create_dir_perms;
- allow httpd_t httpdcontent:file create_file_perms;
- allow httpd_t httpdcontent:lnk_file create_lnk_perms;
+ manage_dirs_pattern(httpd_t,httpdcontent,httpdcontent)
+ manage_files_pattern(httpd_t,httpdcontent,httpdcontent)
+ manage_lnk_files_pattern(httpd_t,httpdcontent,httpdcontent)
')
tunable_policy(`httpd_enable_ftp_server',`
@@ -368,7 +360,6 @@ tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
- allow httpd_t httpd_sys_script_t:fd use;
allow httpd_sys_script_t httpd_t:fd use;
allow httpd_sys_script_t httpd_t:fifo_file rw_file_perms;
allow httpd_sys_script_t httpd_t:process sigchld;
@@ -446,11 +437,7 @@ optional_policy(`
# Apache helper local policy
#
-domain_auto_trans(httpd_t, httpd_helper_exec_t, httpd_helper_t)
-allow httpd_t httpd_helper_t:fd use;
-allow httpd_helper_t httpd_t:fd use;
-allow httpd_helper_t httpd_t:fifo_file rw_file_perms;
-allow httpd_helper_t httpd_t:process sigchld;
+domtrans_pattern(httpd_t, httpd_helper_exec_t, httpd_helper_t)
allow httpd_helper_t httpd_config_t:file { getattr read };
@@ -475,8 +462,8 @@ tunable_policy(`httpd_tty_comm',`
allow httpd_php_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow httpd_php_t self:fd use;
-allow httpd_php_t self:fifo_file rw_file_perms;
-allow httpd_php_t self:sock_file r_file_perms;
+allow httpd_php_t self:fifo_file rw_fifo_file_perms;
+allow httpd_php_t self:sock_file read_sock_file_perms;
allow httpd_php_t self:unix_dgram_socket create_socket_perms;
allow httpd_php_t self:unix_stream_socket create_stream_socket_perms;
allow httpd_php_t self:unix_dgram_socket sendto;
@@ -486,17 +473,13 @@ allow httpd_php_t self:sem create_sem_perms;
allow httpd_php_t self:msgq create_msgq_perms;
allow httpd_php_t self:msg { send receive };
-domain_auto_trans(httpd_t, httpd_php_exec_t, httpd_php_t)
-allow httpd_t httpd_php_t:fd use;
-allow httpd_php_t httpd_t:fd use;
-allow httpd_php_t httpd_t:fifo_file rw_file_perms;
-allow httpd_php_t httpd_t:process sigchld;
+domtrans_pattern(httpd_t, httpd_php_exec_t, httpd_php_t)
# allow php to read and append to apache logfiles
-allow httpd_php_t httpd_log_t:file ra_file_perms;
+allow httpd_php_t httpd_log_t:file { read_file_perms append_file_perms };
-allow httpd_php_t httpd_php_tmp_t:dir create_dir_perms;
-allow httpd_php_t httpd_php_tmp_t:file create_file_perms;
+manage_dirs_pattern(httpd_php_t,httpd_php_tmp_t,httpd_php_tmp_t)
+manage_files_pattern(httpd_php_t,httpd_php_tmp_t,httpd_php_tmp_t)
files_tmp_filetrans(httpd_php_t, httpd_php_tmp_t, { file dir })
fs_search_auto_mountpoints(httpd_php_t)
@@ -529,20 +512,18 @@ ifdef(`targeted_policy',`
gen_tunable(httpd_suexec_disable_trans,false)
tunable_policy(`httpd_suexec_disable_trans',`',`
- domain_auto_trans(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
- allow httpd_t httpd_suexec_t:fd use;
- allow httpd_suexec_t httpd_t:fd use;
- allow httpd_suexec_t httpd_t:fifo_file rw_file_perms;
- allow httpd_suexec_t httpd_t:process sigchld;
+ domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
')
')
-allow httpd_suexec_t httpd_log_t:dir ra_dir_perms;
-allow httpd_suexec_t httpd_log_t:file { create ra_file_perms };
+create_files_pattern(httpd_suexec_t,httpd_log_t,httpd_log_t)
+append_files_pattern(httpd_suexec_t,httpd_log_t,httpd_log_t)
+read_files_pattern(httpd_suexec_t,httpd_log_t,httpd_log_t)
+
allow httpd_suexec_t httpd_t:fifo_file getattr;
-allow httpd_suexec_t httpd_suexec_tmp_t:dir create_dir_perms;
-allow httpd_suexec_t httpd_suexec_tmp_t:file create_file_perms;
+manage_dirs_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t)
+manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
kernel_read_kernel_sysctls(httpd_suexec_t)
@@ -594,19 +575,11 @@ tunable_policy(`httpd_can_network_connect',`
')
tunable_policy(`httpd_enable_cgi',`
- domain_auto_trans(httpd_suexec_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
- allow httpd_suexec_t httpd_unconfined_script_t:fd use;
- allow httpd_unconfined_script_t httpd_suexec_t:fd use;
- allow httpd_unconfined_script_t httpd_suexec_t:fifo_file rw_file_perms;
- allow httpd_unconfined_script_t httpd_suexec_t:process sigchld;
+ domtrans_pattern(httpd_suexec_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
')
tunable_policy(`httpd_enable_cgi && httpd_unified',`
- domain_auto_trans(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
- allow httpd_suexec_t httpd_sys_script_t:fd use;
- allow httpd_sys_script_t httpd_suexec_t:fd use;
- allow httpd_sys_script_t httpd_suexec_t:fifo_file rw_file_perms;
- allow httpd_sys_script_t httpd_suexec_t:process sigchld;
+ domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
@@ -655,9 +628,9 @@ dontaudit httpd_sys_script_t httpd_config_t:dir search;
allow httpd_sys_script_t httpd_squirrelmail_t:file { append read };
-allow httpd_sys_script_t squirrelmail_spool_t:dir r_dir_perms;
-allow httpd_sys_script_t squirrelmail_spool_t:file r_file_perms;
-allow httpd_sys_script_t squirrelmail_spool_t:lnk_file { getattr read };
+allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
+read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t)
+read_lnk_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t)
kernel_read_kernel_sysctls(httpd_sys_script_t)
@@ -720,8 +693,7 @@ optional_policy(`
# httpd_rotatelogs local policy
#
-allow httpd_rotatelogs_t httpd_log_t:dir rw_dir_perms;
-allow httpd_rotatelogs_t httpd_log_t:file manage_file_perms;
+manage_files_pattern(httpd_rotatelogs_t,httpd_log_t,httpd_log_t)
kernel_read_kernel_sysctls(httpd_rotatelogs_t)
kernel_dontaudit_list_proc(httpd_rotatelogs_t)
diff --git a/policy/modules/services/apm.if b/policy/modules/services/apm.if
index 8fd6d54a..901788f6 100644
--- a/policy/modules/services/apm.if
+++ b/policy/modules/services/apm.if
@@ -16,12 +16,7 @@ interface(`apm_domtrans_client',`
')
corecmd_search_bin($1)
- domain_auto_trans($1,apm_exec_t,apm_t)
-
- allow $1 apm_t:fd use;
- allow apm_t $1:fd use;
- allow apm_t $1:fifo_file rw_file_perms;
- allow apm_t $1:process sigchld;
+ domtrans_pattern($1,apm_exec_t,apm_t)
')
########################################
diff --git a/policy/modules/services/apm.te b/policy/modules/services/apm.te
index 72878960..f4875ea1 100644
--- a/policy/modules/services/apm.te
+++ b/policy/modules/services/apm.te
@@ -67,20 +67,19 @@ logging_send_syslog_msg(apm_t)
allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod };
dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_tty_config };
allow apmd_t self:process { signal_perms getsession };
-allow apmd_t self:fifo_file rw_file_perms;
+allow apmd_t self:fifo_file rw_fifo_file_perms;
allow apmd_t self:unix_dgram_socket create_socket_perms;
allow apmd_t self:unix_stream_socket create_stream_socket_perms;
-allow apmd_t apmd_log_t:file create_file_perms;
+allow apmd_t apmd_log_t:file manage_file_perms;
logging_log_filetrans(apmd_t,apmd_log_t,file)
-allow apmd_t apmd_tmp_t:dir create_dir_perms;
-allow apmd_t apmd_tmp_t:file create_file_perms;
+manage_dirs_pattern(apmd_t,apmd_tmp_t,apmd_tmp_t)
+manage_files_pattern(apmd_t,apmd_tmp_t,apmd_tmp_t)
files_tmp_filetrans(apmd_t, apmd_tmp_t, { file dir })
-allow apmd_t apmd_var_run_t:dir rw_dir_perms;
-allow apmd_t apmd_var_run_t:file create_file_perms;
-allow apmd_t apmd_var_run_t:sock_file create_file_perms;
+manage_files_pattern(apmd_t,apmd_var_run_t,apmd_var_run_t)
+manage_sock_files_pattern(apmd_t,apmd_var_run_t,apmd_var_run_t)
files_pid_filetrans(apmd_t, apmd_var_run_t, { file sock_file })
kernel_read_kernel_sysctls(apmd_t)
@@ -148,7 +147,7 @@ userdom_dontaudit_search_sysadm_home_dirs(apmd_t)
userdom_dontaudit_search_all_users_home_content(apmd_t) # Excessive?
ifdef(`distro_redhat',`
- allow apmd_t apmd_lock_t:file create_file_perms;
+ allow apmd_t apmd_lock_t:file manage_file_perms;
files_lock_filetrans(apmd_t,apmd_lock_t,file)
can_exec(apmd_t, apmd_var_run_t)
@@ -172,8 +171,8 @@ ifdef(`distro_redhat',`
')
ifdef(`distro_suse',`
- allow apmd_t apmd_var_lib_t:file create_file_perms;
- allow apmd_t apmd_var_lib_t:dir create_dir_perms;
+ manage_dirs_pattern(apmd_t,apmd_var_lib_t,apmd_var_lib_t)
+ manage_files_pattern(apmd_t,apmd_var_lib_t,apmd_var_lib_t)
files_var_lib_filetrans(apmd_t,apmd_var_lib_t,file)
')
diff --git a/policy/modules/services/arpwatch.if b/policy/modules/services/arpwatch.if
index f354902b..7f830f92 100644
--- a/policy/modules/services/arpwatch.if
+++ b/policy/modules/services/arpwatch.if
@@ -15,7 +15,7 @@ interface(`arpwatch_search_data',`
type arpwatch_data_t;
')
- allow $1 arpwatch_data_t:dir search;
+ allow $1 arpwatch_data_t:dir search_dir_perms;
')
########################################
@@ -33,8 +33,7 @@ interface(`arpwatch_manage_data_files',`
type arpwatch_data_t;
')
- allow $1 arpwatch_data_t:dir rw_dir_perms;
- allow $1 arpwatch_data_t:file create_file_perms;
+ manage_files_pattern($1,arpwatch_data_t,arpwatch_data_t)
')
########################################
diff --git a/policy/modules/services/arpwatch.te b/policy/modules/services/arpwatch.te
index be4cc269..51ef5be6 100644
--- a/policy/modules/services/arpwatch.te
+++ b/policy/modules/services/arpwatch.te
@@ -33,16 +33,15 @@ allow arpwatch_t self:tcp_socket { connect create_stream_socket_perms };
allow arpwatch_t self:udp_socket create_socket_perms;
allow arpwatch_t self:packet_socket create_socket_perms;
-allow arpwatch_t arpwatch_data_t:dir create_dir_perms;
-allow arpwatch_t arpwatch_data_t:file create_file_perms;
-allow arpwatch_t arpwatch_data_t:lnk_file create_lnk_perms;
+manage_dirs_pattern(arpwatch_t,arpwatch_data_t,arpwatch_data_t)
+manage_files_pattern(arpwatch_t,arpwatch_data_t,arpwatch_data_t)
+manage_lnk_files_pattern(arpwatch_t,arpwatch_data_t,arpwatch_data_t)
-allow arpwatch_t arpwatch_tmp_t:dir create_dir_perms;
-allow arpwatch_t arpwatch_tmp_t:file create_file_perms;
+manage_dirs_pattern(arpwatch_t,arpwatch_tmp_t,arpwatch_tmp_t)
+manage_files_pattern(arpwatch_t,arpwatch_tmp_t,arpwatch_tmp_t)
files_tmp_filetrans(arpwatch_t, arpwatch_tmp_t, { file dir })
-allow arpwatch_t arpwatch_var_run_t:file create_file_perms;
-allow arpwatch_t arpwatch_var_run_t:dir rw_dir_perms;
+manage_files_pattern(arpwatch_t,arpwatch_var_run_t,arpwatch_var_run_t)
files_pid_filetrans(arpwatch_t,arpwatch_var_run_t,file)
kernel_read_kernel_sysctls(arpwatch_t)
@@ -112,4 +111,3 @@ optional_policy(`
optional_policy(`
udev_read_db(arpwatch_t)
')
-
diff --git a/policy/modules/services/asterisk.te b/policy/modules/services/asterisk.te
index 59ac279b..80eecdd5 100644
--- a/policy/modules/services/asterisk.te
+++ b/policy/modules/services/asterisk.te
@@ -40,44 +40,40 @@ files_pid_file(asterisk_var_run_t)
allow asterisk_t self:capability { dac_override setgid setuid sys_nice };
dontaudit asterisk_t self:capability sys_tty_config;
allow asterisk_t self:process { setsched signal_perms };
-allow asterisk_t self:fifo_file rw_file_perms;
+allow asterisk_t self:fifo_file rw_fifo_file_perms;
allow asterisk_t self:sem create_sem_perms;
allow asterisk_t self:shm create_shm_perms;
allow asterisk_t self:tcp_socket create_stream_socket_perms;
allow asterisk_t self:udp_socket create_socket_perms;
-allow asterisk_t asterisk_etc_t:file r_file_perms;
-allow asterisk_t asterisk_etc_t:dir r_dir_perms;
-allow asterisk_t asterisk_etc_t:lnk_file { getattr read };
+allow asterisk_t asterisk_etc_t:dir list_dir_perms;
+read_files_pattern(asterisk_t,asterisk_etc_t,asterisk_etc_t)
+read_lnk_files_pattern(asterisk_t,asterisk_etc_t,asterisk_etc_t)
files_search_etc(asterisk_t)
-allow asterisk_t asterisk_log_t:file manage_file_perms;
-allow asterisk_t asterisk_log_t:dir rw_dir_perms;
+manage_files_pattern(asterisk_t,asterisk_log_t,asterisk_log_t)
logging_log_filetrans(asterisk_t,asterisk_log_t,{ file dir })
-allow asterisk_t asterisk_spool_t:dir manage_dir_perms;
-allow asterisk_t asterisk_spool_t:file manage_file_perms;
-allow asterisk_t asterisk_spool_t:lnk_file create_lnk_perms;
+manage_dirs_pattern(asterisk_t,asterisk_spool_t,asterisk_spool_t)
+manage_files_pattern(asterisk_t,asterisk_spool_t,asterisk_spool_t)
+manage_lnk_files_pattern(asterisk_t,asterisk_spool_t,asterisk_spool_t)
-allow asterisk_t asterisk_tmp_t:dir create_dir_perms;
-allow asterisk_t asterisk_tmp_t:file create_file_perms;
+manage_dirs_pattern(asterisk_t,asterisk_tmp_t,asterisk_tmp_t)
+manage_files_pattern(asterisk_t,asterisk_tmp_t,asterisk_tmp_t)
files_tmp_filetrans(asterisk_t, asterisk_tmp_t, { file dir })
-allow asterisk_t asterisk_tmpfs_t:dir rw_dir_perms;
-allow asterisk_t asterisk_tmpfs_t:file manage_file_perms;
-allow asterisk_t asterisk_tmpfs_t:lnk_file create_lnk_perms;
-allow asterisk_t asterisk_tmpfs_t:sock_file manage_file_perms;
-allow asterisk_t asterisk_tmpfs_t:fifo_file manage_file_perms;
+manage_files_pattern(asterisk_t,asterisk_tmpfs_t,asterisk_tmpfs_t)
+manage_lnk_files_pattern(asterisk_t,asterisk_tmpfs_t,asterisk_tmpfs_t)
+manage_fifo_files_pattern(asterisk_t,asterisk_tmpfs_t,asterisk_tmpfs_t)
+manage_sock_files_pattern(asterisk_t,asterisk_tmpfs_t,asterisk_tmpfs_t)
fs_tmpfs_filetrans(asterisk_t,asterisk_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
-allow asterisk_t asterisk_var_lib_t:file manage_file_perms;
-allow asterisk_t asterisk_var_lib_t:dir rw_dir_perms;
+manage_files_pattern(asterisk_t,asterisk_var_lib_t,asterisk_var_lib_t)
files_var_lib_filetrans(asterisk_t,asterisk_var_lib_t,file)
-allow asterisk_t asterisk_var_run_t:sock_file manage_file_perms;
-allow asterisk_t asterisk_var_run_t:fifo_file manage_file_perms;
-allow asterisk_t asterisk_var_run_t:file manage_file_perms;
-allow asterisk_t asterisk_var_run_t:dir rw_dir_perms;
+manage_files_pattern(asterisk_t,asterisk_var_run_t,asterisk_var_run_t)
+manage_fifo_files_pattern(asterisk_t,asterisk_var_run_t,asterisk_var_run_t)
+manage_sock_files_pattern(asterisk_t,asterisk_var_run_t,asterisk_var_run_t)
files_pid_filetrans(asterisk_t,asterisk_var_run_t,file)
kernel_read_system_state(asterisk_t)
@@ -157,4 +153,3 @@ ifdef(`TODO',`
allow initrc_t asterisk_var_run_t:fifo_file unlink;
allow sysadm_t asterisk_t:unix_stream_socket { connectto rw_stream_socket_perms };
')
-
diff --git a/policy/modules/services/audioentropy.te b/policy/modules/services/audioentropy.te
index 17e35728..3d071f53 100644
--- a/policy/modules/services/audioentropy.te
+++ b/policy/modules/services/audioentropy.te
@@ -22,8 +22,7 @@ allow entropyd_t self:capability { ipc_lock sys_admin };
dontaudit entropyd_t self:capability sys_tty_config;
allow entropyd_t self:process signal_perms;
-allow entropyd_t entropyd_var_run_t:file manage_file_perms;
-allow entropyd_t entropyd_var_run_t:dir rw_dir_perms;
+manage_files_pattern(entropyd_t,entropyd_var_run_t,entropyd_var_run_t)
files_pid_filetrans(entropyd_t,entropyd_var_run_t,file)
kernel_read_kernel_sysctls(entropyd_t)
@@ -69,4 +68,3 @@ optional_policy(`
optional_policy(`
udev_read_db(entropyd_t)
')
-
diff --git a/policy/modules/services/automount.if b/policy/modules/services/automount.if
index 5f97e34f..ac6cf1b8 100644
--- a/policy/modules/services/automount.if
+++ b/policy/modules/services/automount.if
@@ -16,13 +16,7 @@ interface(`automount_domtrans',`
')
corecmd_search_sbin($1)
- domain_auto_trans($1, automount_exec_t, automount_t)
-
- allow $1 automount_t:fd use;
- allow automount_t $1:fd use;
- allow automount_t $1:fifo_file rw_file_perms;
- allow automount_t $1:process sigchld;
-
+ domtrans_pattern($1, automount_exec_t, automount_t)
')
########################################
@@ -59,8 +53,7 @@ interface(`automount_read_state',`
type automount_t;
')
- allow $1 automount_t:dir search_dir_perms;
- allow $1 automount_t:file r_file_perms;
+ read_files_pattern($1,automount_t,automount_t)
')
########################################
diff --git a/policy/modules/services/automount.te b/policy/modules/services/automount.te
index 39a11563..effc0a64 100644
--- a/policy/modules/services/automount.te
+++ b/policy/modules/services/automount.te
@@ -31,7 +31,7 @@ files_mountpoint(automount_tmp_t)
allow automount_t self:capability { net_bind_service sys_nice sys_resource dac_override sys_admin };
dontaudit automount_t self:capability sys_tty_config;
allow automount_t self:process { signal_perms getpgid setpgid setsched setrlimit };
-allow automount_t self:fifo_file rw_file_perms;
+allow automount_t self:fifo_file rw_fifo_file_perms;
allow automount_t self:unix_stream_socket create_socket_perms;
allow automount_t self:unix_dgram_socket create_socket_perms;
allow automount_t self:tcp_socket create_stream_socket_perms;
@@ -45,20 +45,19 @@ allow automount_t automount_etc_t:file { getattr read };
can_exec(automount_t, automount_etc_t)
can_exec(automount_t, automount_exec_t)
-allow automount_t automount_lock_t:file create_file_perms;
+allow automount_t automount_lock_t:file manage_file_perms;
files_lock_filetrans(automount_t,automount_lock_t,file)
-allow automount_t automount_tmp_t:dir create_dir_perms;
-allow automount_t automount_tmp_t:file create_file_perms;
+manage_dirs_pattern(automount_t,automount_tmp_t,automount_tmp_t)
+manage_files_pattern(automount_t,automount_tmp_t,automount_tmp_t)
files_tmp_filetrans(automount_t, automount_tmp_t, { file dir })
# Allow automount to create and delete directories in / and /home
-allow automount_t automount_tmp_t:dir create_dir_perms;
+allow automount_t automount_tmp_t:dir manage_dir_perms;
files_home_filetrans(automount_t,automount_tmp_t,dir)
files_root_filetrans(automount_t,automount_tmp_t,dir)
-allow automount_t automount_var_run_t:file create_file_perms;
-allow automount_t automount_var_run_t:dir rw_dir_perms;
+manage_files_pattern(automount_t,automount_var_run_t,automount_var_run_t)
files_pid_filetrans(automount_t,automount_var_run_t,file)
kernel_read_kernel_sysctls(automount_t)
diff --git a/policy/modules/services/avahi.if b/policy/modules/services/avahi.if
index 4c2ee436..5eaf2ad5 100644
--- a/policy/modules/services/avahi.if
+++ b/policy/modules/services/avahi.if
@@ -37,7 +37,5 @@ interface(`avahi_stream_connect',`
')
files_search_pids($1)
- allow $1 avahi_var_run_t:dir search_dir_perms;
- allow $1 avahi_var_run_t:sock_file rw_file_perms;
- allow $1 avahi_t:unix_stream_socket connectto;
+ stream_connect_pattern($1,avahi_var_run_t,avahi_var_run_t,avahi_t)
')
diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te
index d9dbc91c..9de9b610 100644
--- a/policy/modules/services/avahi.te
+++ b/policy/modules/services/avahi.te
@@ -28,9 +28,9 @@ allow avahi_t self:netlink_route_socket r_netlink_socket_perms;
allow avahi_t self:tcp_socket create_stream_socket_perms;
allow avahi_t self:udp_socket create_socket_perms;
-allow avahi_t avahi_var_run_t:sock_file create_file_perms;
-allow avahi_t avahi_var_run_t:file create_file_perms;
-allow avahi_t avahi_var_run_t:dir { rw_dir_perms setattr };
+manage_files_pattern(avahi_t,avahi_var_run_t,avahi_var_run_t)
+manage_sock_files_pattern(avahi_t,avahi_var_run_t,avahi_var_run_t)
+allow avahi_t avahi_var_run_t:dir setattr;
files_pid_filetrans(avahi_t,avahi_var_run_t,file)
kernel_read_kernel_sysctls(avahi_t)
diff --git a/policy/modules/services/bind.if b/policy/modules/services/bind.if
index 62661379..f367bd88 100644
--- a/policy/modules/services/bind.if
+++ b/policy/modules/services/bind.if
@@ -15,12 +15,7 @@ interface(`bind_domtrans_ndc',`
type ndc_t, ndc_exec_t;
')
- domain_auto_trans($1,ndc_exec_t,ndc_t)
-
- allow $1 ndc_t:fd use;
- allow ndc_t $1:fd use;
- allow ndc_t $1:fifo_file rw_file_perms;
- allow ndc_t $1:process sigchld;
+ domtrans_pattern($1,ndc_exec_t,ndc_t)
')
########################################
@@ -88,12 +83,7 @@ interface(`bind_domtrans',`
type named_t, named_exec_t;
')
- domain_auto_trans($1,named_exec_t,named_t)
-
- allow $1 named_t:fd use;
- allow named_t $1:fd use;
- allow named_t $1:fifo_file rw_file_perms;
- allow named_t $1:process sigchld;
+ domtrans_pattern($1,named_exec_t,named_t)
')
########################################
@@ -111,8 +101,7 @@ interface(`bind_read_dnssec_keys',`
type named_conf_t, named_zone_t, dnssec_t;
')
- allow $1 { named_conf_t named_zone_t }:dir search;
- allow $1 dnssec_t:file { getattr read };
+ read_files_pattern($1,{ named_conf_t named_zone_t },dnssec_t)
')
########################################
@@ -130,8 +119,7 @@ interface(`bind_read_config',`
type named_conf_t;
')
- allow $1 named_conf_t:dir search;
- allow $1 named_conf_t:file { getattr read };
+ read_files_pattern($1,named_conf_t,named_conf_t)
')
########################################
@@ -149,8 +137,8 @@ interface(`bind_write_config',`
type named_conf_t;
')
- allow $1 named_conf_t:dir search;
- allow $1 named_conf_t:file { write setattr };
+ write_files_pattern($1,named_conf_t,named_conf_t)
+ allow $1 named_conf_t:file setattr;
')
########################################
@@ -169,7 +157,7 @@ interface(`bind_manage_config_dirs',`
type named_conf_t;
')
- allow $1 named_conf_t:dir create_dir_perms;
+ manage_dirs_pattern($1,named_conf_t,named_conf_t)
')
########################################
@@ -211,9 +199,8 @@ interface(`bind_manage_cache',`
files_search_var($1)
allow $1 named_zone_t:dir search_dir_perms;
- allow $1 named_cache_t:dir rw_dir_perms;
- allow $1 named_cache_t:file create_file_perms;
- allow $1 named_cache_t:lnk_file create_lnk_perms;
+ manage_files_pattern($1,named_cache_t,named_cache_t)
+ manage_lnk_files_pattern($1,named_cache_t,named_cache_t)
')
########################################
@@ -251,8 +238,7 @@ interface(`bind_read_zone',`
')
files_search_var($1)
- allow $1 named_zone_t:dir search_dir_perms;
- allow $1 named_zone_t:file r_file_perms;
+ read_files_pattern($1,named_zone_t,named_zone_t)
')
########################################
diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te
index c612b1c4..20f7f2b5 100644
--- a/policy/modules/services/bind.te
+++ b/policy/modules/services/bind.te
@@ -53,7 +53,7 @@ role system_r types ndc_t;
allow named_t self:capability { chown dac_override fowner setgid setuid sys_chroot sys_nice sys_resource };
dontaudit named_t self:capability sys_tty_config;
allow named_t self:process { setsched setcap setrlimit signal_perms };
-allow named_t self:fifo_file rw_file_perms;
+allow named_t self:fifo_file rw_fifo_file_perms;
allow named_t self:unix_stream_socket create_stream_socket_perms;
allow named_t self:unix_dgram_socket create_socket_perms;
allow named_t self:tcp_socket create_stream_socket_perms;
@@ -63,34 +63,31 @@ allow named_t self:netlink_route_socket r_netlink_socket_perms;
allow named_t dnssec_t:file { getattr read };
# read configuration
-allow named_t named_conf_t:dir r_dir_perms;
-allow named_t named_conf_t:file r_file_perms;
-allow named_t named_conf_t:lnk_file r_file_perms;
+allow named_t named_conf_t:dir list_dir_perms;
+read_files_pattern(named_t,named_conf_t,named_conf_t)
+read_lnk_files_pattern(named_t,named_conf_t,named_conf_t)
# write cache for secondary zones
-allow named_t named_cache_t:dir rw_dir_perms;
-allow named_t named_cache_t:file create_file_perms;
-allow named_t named_cache_t:lnk_file create_lnk_perms;
+manage_files_pattern(named_t,named_cache_t,named_cache_t)
+manage_lnk_files_pattern(named_t,named_cache_t,named_cache_t)
can_exec(named_t, named_exec_t)
-allow named_t named_log_t:file create_file_perms;
-allow named_t named_log_t:dir rw_dir_perms;
+manage_files_pattern(named_t,named_log_t,named_log_t)
logging_log_filetrans(named_t,named_log_t,{ file dir })
-allow named_t named_tmp_t:dir create_dir_perms;
-allow named_t named_tmp_t:file create_file_perms;
+manage_dirs_pattern(named_t,named_tmp_t,named_tmp_t)
+manage_files_pattern(named_t,named_tmp_t,named_tmp_t)
files_tmp_filetrans(named_t, named_tmp_t, { file dir })
-allow named_t named_var_run_t:dir rw_dir_perms;
-allow named_t named_var_run_t:file create_file_perms;
-allow named_t named_var_run_t:sock_file create_file_perms;
+manage_files_pattern(named_t,named_var_run_t,named_var_run_t)
+manage_sock_files_pattern(named_t,named_var_run_t,named_var_run_t)
files_pid_filetrans(named_t,named_var_run_t,{ file sock_file })
# read zone files
-allow named_t named_zone_t:dir r_dir_perms;
-allow named_t named_zone_t:file r_file_perms;
-allow named_t named_zone_t:lnk_file r_file_perms;
+allow named_t named_zone_t:dir list_dir_perms;
+read_files_pattern(named_t,named_zone_t,named_zone_t)
+read_lnk_files_pattern(named_t,named_zone_t,named_zone_t)
kernel_read_kernel_sysctls(named_t)
kernel_read_system_state(named_t)
@@ -154,9 +151,9 @@ ifdef(`targeted_policy',`
')
tunable_policy(`named_write_master_zones',`
- allow named_t named_zone_t:dir create_dir_perms;
- allow named_t named_zone_t:file create_file_perms;
- allow named_t named_zone_t:lnk_file create_lnk_perms;
+ manage_dirs_pattern(named_t,named_zone_t,named_zone_t)
+ manage_files_pattern(named_t,named_zone_t,named_zone_t)
+ manage_lnk_files_pattern(named_t,named_zone_t,named_zone_t)
')
optional_policy(`
diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if
index dcbb5aac..e031f399 100644
--- a/policy/modules/services/bluetooth.if
+++ b/policy/modules/services/bluetooth.if
@@ -15,10 +15,7 @@ interface(`bluetooth_domtrans',`
type bluetooth_t, bluetooth_exec_t;
')
- domain_auto_trans($1,bluetooth_exec_t,bluetooth_t)
- allow bluetooth_t $1:fd use;
- allow bluetooth_t $1:fifo_file rw_file_perms;
- allow bluetooth_t $1:process sigchld;
+ domtrans_pattern($1,bluetooth_exec_t,bluetooth_t)
')
########################################
@@ -54,12 +51,7 @@ interface(`bluetooth_domtrans_helper',`
type bluetooth_helper_t, bluetooth_helper_exec_t;
')
- domain_auto_trans($1,bluetooth_helper_exec_t,bluetooth_helper_t)
-
- allow $1 bluetooth_helper_t:fd use;
- allow bluetooth_helper_t $1:fd use;
- allow bluetooth_helper_t $1:fifo_file rw_file_perms;
- allow bluetooth_helper_t $1:process sigchld;
+ domtrans_pattern($1,bluetooth_helper_exec_t,bluetooth_helper_t)
')
########################################
diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te
index 74dde428..2fb24ac9 100644
--- a/policy/modules/services/bluetooth.te
+++ b/policy/modules/services/bluetooth.te
@@ -44,7 +44,7 @@ files_pid_file(bluetooth_var_run_t)
allow bluetooth_t self:capability { net_admin net_raw sys_tty_config ipc_lock };
dontaudit bluetooth_t self:capability sys_tty_config;
allow bluetooth_t self:process { getsched signal_perms };
-allow bluetooth_t self:fifo_file rw_file_perms;
+allow bluetooth_t self:fifo_file rw_fifo_file_perms;
allow bluetooth_t self:shm create_shm_perms;
allow bluetooth_t self:socket create_stream_socket_perms;
allow bluetooth_t self:unix_dgram_socket create_socket_perms;
@@ -52,36 +52,30 @@ allow bluetooth_t self:unix_stream_socket create_stream_socket_perms;
allow bluetooth_t self:tcp_socket create_stream_socket_perms;
allow bluetooth_t self:udp_socket create_socket_perms;
-allow bluetooth_t bluetooth_conf_t:dir rw_dir_perms;
-allow bluetooth_t bluetooth_conf_t:file { getattr read ioctl };
+read_files_pattern(bluetooth_t,bluetooth_conf_t,bluetooth_conf_t)
-allow bluetooth_t bluetooth_conf_rw_t:dir manage_dir_perms;
-allow bluetooth_t bluetooth_conf_rw_t:file manage_file_perms;
-allow bluetooth_t bluetooth_conf_rw_t:lnk_file create_lnk_perms;
-allow bluetooth_t bluetooth_conf_rw_t:sock_file manage_file_perms;
-allow bluetooth_t bluetooth_conf_rw_t:fifo_file manage_file_perms;
-type_transition bluetooth_t bluetooth_conf_t:{ dir file lnk_file sock_file fifo_file } bluetooth_conf_rw_t;
+manage_dirs_pattern(bluetooth_t,bluetooth_conf_t,bluetooth_conf_rw_t)
+manage_files_pattern(bluetooth_t,bluetooth_conf_t,bluetooth_conf_rw_t)
+manage_lnk_files_pattern(bluetooth_t,bluetooth_conf_t,bluetooth_conf_rw_t)
+manage_fifo_files_pattern(bluetooth_t,bluetooth_conf_t,bluetooth_conf_rw_t)
+manage_sock_files_pattern(bluetooth_t,bluetooth_conf_t,bluetooth_conf_rw_t)
+filetrans_pattern(bluetooth_t,bluetooth_conf_t,bluetooth_conf_rw_t,{ dir file lnk_file sock_file fifo_file })
-domain_auto_trans(bluetooth_t, bluetooth_helper_exec_t, bluetooth_helper_t)
-allow bluetooth_t bluetooth_helper_t:fd use;
-allow bluetooth_helper_t bluetooth_t:fd use;
-allow bluetooth_helper_t bluetooth_t:fifo_file rw_file_perms;
-allow bluetooth_helper_t bluetooth_t:process sigchld;
+domtrans_pattern(bluetooth_t, bluetooth_helper_exec_t, bluetooth_helper_t)
allow bluetooth_t bluetooth_lock_t:file manage_file_perms;
files_lock_filetrans(bluetooth_t,bluetooth_lock_t,file)
-allow bluetooth_t bluetooth_tmp_t:dir manage_dir_perms;
-allow bluetooth_t bluetooth_tmp_t:file manage_file_perms;
+manage_dirs_pattern(bluetooth_t,bluetooth_tmp_t,bluetooth_tmp_t)
+manage_files_pattern(bluetooth_t,bluetooth_tmp_t,bluetooth_tmp_t)
files_tmp_filetrans(bluetooth_t, bluetooth_tmp_t, { file dir })
-allow bluetooth_t bluetooth_var_lib_t:file manage_file_perms;
-allow bluetooth_t bluetooth_var_lib_t:dir manage_dir_perms;
+manage_dirs_pattern(bluetooth_t,bluetooth_var_lib_t,bluetooth_var_lib_t)
+manage_files_pattern(bluetooth_t,bluetooth_var_lib_t,bluetooth_var_lib_t)
files_var_lib_filetrans(bluetooth_t,bluetooth_var_lib_t,{ dir file } )
-allow bluetooth_t bluetooth_var_run_t:dir rw_dir_perms;
-allow bluetooth_t bluetooth_var_run_t:file create_file_perms;
-allow bluetooth_t bluetooth_var_run_t:sock_file create_file_perms;
+manage_files_pattern(bluetooth_t,bluetooth_var_run_t,bluetooth_var_run_t)
+manage_sock_files_pattern(bluetooth_t,bluetooth_var_run_t,bluetooth_var_run_t)
files_pid_filetrans(bluetooth_t, bluetooth_var_run_t, { file sock_file })
kernel_read_kernel_sysctls(bluetooth_t)
@@ -169,7 +163,7 @@ optional_policy(`
allow bluetooth_helper_t self:capability sys_nice;
allow bluetooth_helper_t self:process getsched;
-allow bluetooth_helper_t self:fifo_file rw_file_perms;
+allow bluetooth_helper_t self:fifo_file rw_fifo_file_perms;
allow bluetooth_helper_t self:shm create_shm_perms;
allow bluetooth_helper_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow bluetooth_helper_t self:tcp_socket create_socket_perms;
@@ -177,9 +171,9 @@ allow bluetooth_helper_t self:netlink_route_socket r_netlink_socket_perms;
allow bluetooth_helper_t bluetooth_t:socket { read write };
-allow bluetooth_helper_t bluetooth_helper_tmp_t:dir manage_dir_perms;
-allow bluetooth_helper_t bluetooth_helper_tmp_t:file manage_file_perms;
-allow bluetooth_helper_t bluetooth_helper_tmp_t:sock_file manage_file_perms;
+manage_dirs_pattern(bluetooth_helper_t,bluetooth_helper_tmp_t,bluetooth_helper_tmp_t)
+manage_files_pattern(bluetooth_helper_t,bluetooth_helper_tmp_t,bluetooth_helper_tmp_t)
+manage_sock_files_pattern(bluetooth_helper_t,bluetooth_helper_tmp_t,bluetooth_helper_tmp_t)
files_tmp_filetrans(bluetooth_helper_t, bluetooth_helper_tmp_t, { file dir sock_file })
kernel_read_system_state(bluetooth_helper_t)
diff --git a/policy/modules/services/canna.if b/policy/modules/services/canna.if
index c3f5b1d7..5fc24e5c 100644
--- a/policy/modules/services/canna.if
+++ b/policy/modules/services/canna.if
@@ -16,7 +16,5 @@ interface(`canna_stream_connect',`
')
files_search_pids($1)
- allow $1 canna_var_run_t:dir search;
- allow $1 canna_var_run_t:sock_file write;
- allow $1 canna_t:unix_stream_socket connectto;
+ stream_connect_pattern($1,canna_var_run_t,canna_var_run_t,canna_t)
')
diff --git a/policy/modules/services/canna.te b/policy/modules/services/canna.te
index 63e33972..cc409463 100644
--- a/policy/modules/services/canna.te
+++ b/policy/modules/services/canna.te
@@ -31,18 +31,17 @@ allow canna_t self:unix_stream_socket { connectto create_stream_socket_perms};
allow canna_t self:unix_dgram_socket create_stream_socket_perms;
allow canna_t self:tcp_socket create_stream_socket_perms;
-allow canna_t canna_log_t:file create_file_perms;
-allow canna_t canna_log_t:dir { rw_dir_perms setattr };
+manage_files_pattern(canna_t,canna_log_t,canna_log_t)
+allow canna_t canna_log_t:dir setattr;
logging_log_filetrans(canna_t,canna_log_t,{ file dir })
-allow canna_t canna_var_lib_t:dir create_dir_perms;
-allow canna_t canna_var_lib_t:file create_file_perms;
-allow canna_t canna_var_lib_t:lnk_file create_lnk_perms;
+manage_dirs_pattern(canna_t,canna_var_lib_t,canna_var_lib_t)
+manage_files_pattern(canna_t,canna_var_lib_t,canna_var_lib_t)
+manage_lnk_files_pattern(canna_t,canna_var_lib_t,canna_var_lib_t)
files_var_lib_filetrans(canna_t,canna_var_lib_t,file)
-allow canna_t canna_var_run_t:dir rw_dir_perms;
-allow canna_t canna_var_run_t:file create_file_perms;
-allow canna_t canna_var_run_t:sock_file create_file_perms;
+manage_files_pattern(canna_t,canna_var_run_t,canna_var_run_t)
+manage_sock_files_pattern(canna_t,canna_var_run_t,canna_var_run_t)
files_pid_filetrans(canna_t, canna_var_run_t, { file sock_file })
kernel_read_kernel_sysctls(canna_t)
diff --git a/policy/modules/services/ccs.if b/policy/modules/services/ccs.if
index 366e5eb3..5259f465 100644
--- a/policy/modules/services/ccs.if
+++ b/policy/modules/services/ccs.if
@@ -15,10 +15,7 @@ interface(`ccs_domtrans',`
type ccs_t, ccs_exec_t;
')
- domain_auto_trans($1,ccs_exec_t,ccs_t)
- allow ccs_t $1:fd use;
- allow ccs_t $1:fifo_file rw_file_perms;
- allow ccs_t $1:process sigchld;
+ domtrans_pattern($1,ccs_exec_t,ccs_t)
')
########################################
@@ -37,9 +34,7 @@ interface(`ccs_stream_connect',`
')
files_search_pids($1)
- allow $1 ccs_var_run_t:dir list_dir_perms;
- allow $1 ccs_var_run_t:sock_file write;
- allow $1 ccs_t:unix_stream_socket connectto;
+ stream_connect_pattern($1,ccs_var_run_t,ccs_var_run_t,ccs_t)
')
########################################
@@ -57,8 +52,7 @@ interface(`ccs_read_config',`
type cluster_conf_t;
')
- allow $1 cluster_conf_t:dir search_dir_perms;
- allow $1 cluster_conf_t:file { getattr read };
+ read_files_pattern($1,cluster_conf_t,cluster_conf_t)
')
########################################
@@ -76,6 +70,6 @@ interface(`ccs_manage_config',`
type cluster_conf_t;
')
- allow $1 cluster_conf_t:dir manage_dir_perms;
- allow $1 cluster_conf_t:file manage_file_perms;
+ manage_dirs_pattern($1,cluster_conf_t,cluster_conf_t)
+ manage_files_pattern($1,cluster_conf_t,cluster_conf_t)
')
diff --git a/policy/modules/services/ccs.te b/policy/modules/services/ccs.te
index 97939d78..ce2c80f7 100644
--- a/policy/modules/services/ccs.te
+++ b/policy/modules/services/ccs.te
@@ -38,19 +38,18 @@ allow ccs_t self:udp_socket { create_socket_perms listen recv_msg send_msg };
# cjp: this needs to be fixed to be specific
allow ccs_t self:socket create_socket_perms;
-allow ccs_t cluster_conf_t:dir rw_dir_perms;
-allow ccs_t cluster_conf_t:file manage_file_perms;
+manage_files_pattern(ccs_t,cluster_conf_t,cluster_conf_t)
# log files
-allow ccs_t ccs_var_log_t:file create_file_perms;
-allow ccs_t ccs_var_log_t:sock_file create_file_perms;
-allow ccs_t ccs_var_log_t:dir { rw_dir_perms setattr };
+manage_files_pattern(ccs_t,ccs_var_log_t,ccs_var_log_t)
+manage_sock_files_pattern(ccs_t,ccs_var_log_t,ccs_var_log_t)
+allow ccs_t ccs_var_log_t:dir setattr;
logging_log_filetrans(ccs_t,ccs_var_log_t,{ sock_file file dir })
# pid file
-allow ccs_t ccs_var_run_t:file manage_file_perms;
-allow ccs_t ccs_var_run_t:sock_file manage_file_perms;
-allow ccs_t ccs_var_run_t:dir manage_dir_perms;
+manage_dirs_pattern(ccs_t,ccs_var_run_t,ccs_var_run_t)
+manage_files_pattern(ccs_t,ccs_var_run_t,ccs_var_run_t)
+manage_sock_files_pattern(ccs_t,ccs_var_run_t,ccs_var_run_t)
files_pid_filetrans(ccs_t,ccs_var_run_t, { dir file sock_file })
kernel_read_kernel_sysctls(ccs_t)
diff --git a/policy/modules/services/cipe.te b/policy/modules/services/cipe.te
index f7944b6b..0dd7abd4 100644
--- a/policy/modules/services/cipe.te
+++ b/policy/modules/services/cipe.te
@@ -18,7 +18,7 @@ init_daemon_domain(ciped_t,ciped_exec_t)
allow ciped_t self:capability { net_admin ipc_lock sys_tty_config };
dontaudit ciped_t self:capability sys_tty_config;
allow ciped_t self:process signal_perms;
-allow ciped_t self:fifo_file rw_file_perms;
+allow ciped_t self:fifo_file rw_fifo_file_perms;
allow ciped_t self:unix_dgram_socket create_socket_perms;
allow ciped_t self:unix_stream_socket create_socket_perms;
allow ciped_t self:udp_socket create_socket_perms;
diff --git a/policy/modules/services/clamav.if b/policy/modules/services/clamav.if
index 9c9c3fa4..c7694b72 100644
--- a/policy/modules/services/clamav.if
+++ b/policy/modules/services/clamav.if
@@ -15,12 +15,7 @@ interface(`clamav_domtrans',`
type clamd_t, clamd_exec_t;
')
- domain_auto_trans($1,clamd_exec_t,clamd_t)
-
- allow $1 clamd_t:fd use;
- allow clamd_t $1:fd use;
- allow clamd_t $1:fifo_file rw_file_perms;
- allow clamd_t $1:process sigchld;
+ domtrans_pattern($1,clamd_exec_t,clamd_t)
')
########################################
@@ -38,9 +33,7 @@ interface(`clamav_stream_connect',`
type clamd_t, clamd_var_run_t;
')
- allow $1 clamd_var_run_t:dir search;
- allow $1 clamd_var_run_t:sock_file write;
- allow $1 clamd_t:unix_stream_socket connectto;
+ stream_connect_pattern($1,clamd_var_run_t,clamd_var_run_t,clamd_t)
')
########################################
@@ -59,7 +52,7 @@ interface(`clamav_read_config',`
')
files_search_etc($1)
- allow $1 clamd_etc_t:file r_file_perms;
+ allow $1 clamd_etc_t:file read_file_perms;
')
########################################
@@ -96,9 +89,5 @@ interface(`clamav_domtrans_clamscan',`
type clamscan_t, clamscan_exec_t;
')
- domain_auto_trans($1,clamscan_exec_t,clamscan_t)
-
- allow clamscan_t $1:fd use;
- allow clamscan_t $1:fifo_file rw_file_perms;
- allow clamscan_t $1:process sigchld;
+ domtrans_pattern($1,clamscan_exec_t,clamscan_t)
')
diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te
index fd853539..9eb17422 100644
--- a/policy/modules/services/clamav.te
+++ b/policy/modules/services/clamav.te
@@ -54,34 +54,33 @@ logging_log_file(freshclam_var_log_t)
#
allow clamd_t self:capability { kill setgid setuid dac_override };
-allow clamd_t self:fifo_file rw_file_perms;
+allow clamd_t self:fifo_file rw_fifo_file_perms;
allow clamd_t self:unix_stream_socket create_stream_socket_perms;
allow clamd_t self:unix_dgram_socket create_socket_perms;
allow clamd_t self:tcp_socket { listen accept };
# configuration files
-allow clamd_t clamd_etc_t:dir r_dir_perms;
-allow clamd_t clamd_etc_t:file r_file_perms;
-allow clamd_t clamd_etc_t:lnk_file { getattr read };
+allow clamd_t clamd_etc_t:dir list_dir_perms;
+read_files_pattern(clamd_t,clamd_etc_t,clamd_etc_t)
+read_lnk_files_pattern(clamd_t,clamd_etc_t,clamd_etc_t)
# tmp files
-allow clamd_t clamd_tmp_t:file create_file_perms;
-allow clamd_t clamd_tmp_t:dir create_dir_perms;
+manage_dirs_pattern(clamd_t,clamd_tmp_t,clamd_tmp_t)
+manage_files_pattern(clamd_t,clamd_tmp_t,clamd_tmp_t)
files_tmp_filetrans(clamd_t,clamd_tmp_t,{ file dir })
# var/lib files for clamd
-allow clamd_t clamd_var_lib_t:file create_file_perms;
-allow clamd_t clamd_var_lib_t:dir create_dir_perms;
+manage_dirs_pattern(clamd_t,clamd_var_lib_t,clamd_var_lib_t)
+manage_files_pattern(clamd_t,clamd_var_lib_t,clamd_var_lib_t)
# log files
-allow clamd_t clamd_var_log_t:file create_file_perms;
-allow clamd_t clamd_var_log_t:dir { rw_dir_perms setattr };
+allow clamd_t clamd_var_log_t:dir setattr;
+manage_files_pattern(clamd_t,clamd_var_log_t,clamd_var_log_t)
logging_log_filetrans(clamd_t,clamd_var_log_t,file)
# pid file
-allow clamd_t clamd_var_run_t:file manage_file_perms;
-allow clamd_t clamd_var_run_t:sock_file manage_file_perms;
-allow clamd_t clamd_var_run_t:dir rw_dir_perms;
+manage_files_pattern(clamd_t,clamd_var_run_t,clamd_var_run_t)
+manage_sock_files_pattern(clamd_t,clamd_var_run_t,clamd_var_run_t)
files_pid_filetrans(clamd_t,clamd_var_run_t,file)
kernel_dontaudit_list_proc(clamd_t)
@@ -138,30 +137,29 @@ optional_policy(`
#
allow freshclam_t self:capability { setgid setuid dac_override };
-allow freshclam_t self:fifo_file rw_file_perms;
+allow freshclam_t self:fifo_file rw_fifo_file_perms;
allow freshclam_t self:unix_stream_socket create_stream_socket_perms;
allow freshclam_t self:unix_dgram_socket create_socket_perms;
allow freshclam_t self:tcp_socket { listen accept };
# configuration files
-allow freshclam_t clamd_etc_t:dir r_dir_perms;
-allow freshclam_t clamd_etc_t:file r_file_perms;
-allow freshclam_t clamd_etc_t:lnk_file { getattr read };
+allow freshclam_t clamd_etc_t:dir list_dir_perms;
+read_files_pattern(freshclam_t,clamd_etc_t,clamd_etc_t)
+read_lnk_files_pattern(freshclam_t,clamd_etc_t,clamd_etc_t)
# var/lib files together with clamd
-allow freshclam_t clamd_var_lib_t:file create_file_perms;
-allow freshclam_t clamd_var_lib_t:dir create_dir_perms;
+manage_dirs_pattern(freshclam_t,clamd_var_lib_t,clamd_var_lib_t)
+manage_files_pattern(freshclam_t,clamd_var_lib_t,clamd_var_lib_t)
# pidfiles- var/run together with clamd
-allow freshclam_t clamd_var_run_t:file manage_file_perms;
-allow freshclam_t clamd_var_run_t:sock_file manage_file_perms;
-allow freshclam_t clamd_var_run_t:dir rw_dir_perms;
+manage_files_pattern(freshclam_t,clamd_var_run_t,clamd_var_run_t)
+manage_sock_files_pattern(freshclam_t,clamd_var_run_t,clamd_var_run_t)
files_pid_filetrans(freshclam_t,clamd_var_run_t,file)
# log files (own logfiles only)
-allow freshclam_t freshclam_var_log_t:file create_file_perms;
-allow freshclam_t freshclam_var_log_t:dir { rw_dir_perms setattr };
-allow freshclam_t clamd_var_log_t:dir search;
+manage_files_pattern(freshclam_t,freshclam_var_log_t,freshclam_var_log_t)
+allow freshclam_t freshclam_var_log_t:dir setattr;
+allow freshclam_t clamd_var_log_t:dir search_dir_perms;
logging_log_filetrans(freshclam_t,freshclam_var_log_t,file)
corenet_non_ipsec_sendrecv(freshclam_t)
@@ -208,18 +206,18 @@ allow clamscan_t self:unix_dgram_socket create_socket_perms;
allow clamscan_t self:tcp_socket { listen accept };
# configuration files
-allow clamscan_t clamd_etc_t:dir r_dir_perms;
-allow clamscan_t clamd_etc_t:file r_file_perms;
-allow clamscan_t clamd_etc_t:lnk_file { getattr read };
+allow clamscan_t clamd_etc_t:dir list_dir_perms;
+read_files_pattern(clamscan_t,clamd_etc_t,clamd_etc_t)
+read_lnk_files_pattern(clamscan_t,clamd_etc_t,clamd_etc_t)
# tmp files
-allow clamscan_t clamscan_tmp_t:file manage_file_perms;
-allow clamscan_t clamscan_tmp_t:dir manage_dir_perms;
+manage_dirs_pattern(clamscan_t,clamscan_tmp_t,clamscan_tmp_t)
+manage_files_pattern(clamscan_t,clamscan_tmp_t,clamscan_tmp_t)
files_tmp_filetrans(clamscan_t,clamscan_tmp_t,{ file dir })
# var/lib files together with clamd
-allow clamscan_t clamd_var_lib_t:file r_file_perms;
-allow clamscan_t clamd_var_lib_t:dir r_dir_perms;
+read_files_pattern(clamscan_t,clamd_var_lib_t,clamd_var_lib_t)
+allow clamscan_t clamd_var_lib_t:dir list_dir_perms;
kernel_read_kernel_sysctls(clamscan_t)
diff --git a/policy/modules/services/clockspeed.if b/policy/modules/services/clockspeed.if
index cc5e29d8..27dcff5d 100644
--- a/policy/modules/services/clockspeed.if
+++ b/policy/modules/services/clockspeed.if
@@ -15,10 +15,7 @@ interface(`clockspeed_domtrans_cli',`
type clockspeed_cli_t, clockspeed_cli_exec_t;
')
- domain_auto_trans($1, clockspeed_cli_exec_t, clockspeed_cli_t)
- allow clockspeed_cli_t $1:fd use;
- allow clockspeed_cli_t $1:fifo_file { read write };
- allow clockspeed_cli_t $1:process sigchld;
+ domtrans_pattern($1, clockspeed_cli_exec_t, clockspeed_cli_t)
')
########################################
diff --git a/policy/modules/services/clockspeed.te b/policy/modules/services/clockspeed.te
index 3c95baff..1b22e77e 100644
--- a/policy/modules/services/clockspeed.te
+++ b/policy/modules/services/clockspeed.te
@@ -25,8 +25,8 @@ files_type(clockspeed_var_lib_t)
allow clockspeed_cli_t self:capability sys_time;
allow clockspeed_cli_t self:udp_socket create_socket_perms;
-allow clockspeed_cli_t clockspeed_var_lib_t:dir search;
-allow clockspeed_cli_t clockspeed_var_lib_t:file { getattr read };
+
+read_files_pattern(clockspeed_cli_t,clockspeed_var_lib_t,clockspeed_var_lib_t)
corenet_non_ipsec_sendrecv(clockspeed_cli_t)
corenet_udp_sendrecv_generic_if(clockspeed_cli_t)
@@ -52,9 +52,8 @@ allow clockspeed_srv_t self:udp_socket create_socket_perms;
allow clockspeed_srv_t self:unix_dgram_socket create_socket_perms;
allow clockspeed_srv_t self:unix_stream_socket create_socket_perms;
-allow clockspeed_srv_t clockspeed_var_lib_t:dir rw_dir_perms;
-allow clockspeed_srv_t clockspeed_var_lib_t:file create_file_perms;
-allow clockspeed_srv_t clockspeed_var_lib_t:fifo_file create_file_perms;
+manage_files_pattern(clockspeed_srv_t,clockspeed_var_lib_t,clockspeed_var_lib_t)
+manage_fifo_files_pattern(clockspeed_srv_t,clockspeed_var_lib_t,clockspeed_var_lib_t)
corenet_non_ipsec_sendrecv(clockspeed_srv_t)
corenet_udp_sendrecv_generic_if(clockspeed_srv_t)
diff --git a/policy/modules/services/comsat.te b/policy/modules/services/comsat.te
index c0920064..97c376b7 100644
--- a/policy/modules/services/comsat.te
+++ b/policy/modules/services/comsat.te
@@ -24,19 +24,16 @@ files_pid_file(comsat_var_run_t)
allow comsat_t self:capability { setuid setgid };
allow comsat_t self:process signal_perms;
-allow comsat_t self:dir search;
-allow comsat_t self:fifo_file rw_file_perms;
-allow comsat_t self:{ lnk_file file } { getattr read };
+allow comsat_t self:fifo_file rw_fifo_file_perms;
allow comsat_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow comsat_t self:tcp_socket connected_stream_socket_perms;
allow comsat_t self:udp_socket create_socket_perms;
-allow comsat_t comsat_tmp_t:dir create_dir_perms;
-allow comsat_t comsat_tmp_t:file create_file_perms;
+manage_dirs_pattern(comsat_t,comsat_tmp_t,comsat_tmp_t)
+manage_files_pattern(comsat_t,comsat_tmp_t,comsat_tmp_t)
files_tmp_filetrans(comsat_t, comsat_tmp_t, { file dir })
-allow comsat_t comsat_var_run_t:file create_file_perms;
-allow comsat_t comsat_var_run_t:dir rw_dir_perms;
+manage_files_pattern(comsat_t,comsat_var_run_t,comsat_var_run_t)
files_pid_filetrans(comsat_t,comsat_var_run_t,file)
kernel_read_kernel_sysctls(comsat_t)
diff --git a/policy/modules/services/courier.if b/policy/modules/services/courier.if
index d5866bbf..7735e91a 100644
--- a/policy/modules/services/courier.if
+++ b/policy/modules/services/courier.if
@@ -35,13 +35,12 @@ template(`courier_domain_template',`
can_exec(courier_$1_t, courier_$1_exec_t)
- allow courier_$1_t courier_etc_t:file r_file_perms;
- allow courier_$1_t courier_etc_t:dir r_dir_perms;
+ read_files_pattern(courier_$1_t,courier_etc_t,courier_etc_t)
+ allow courier_$1_t courier_etc_t:dir list_dir_perms;
- allow courier_$1_t courier_var_run_t:dir rw_dir_perms;
- allow courier_$1_t courier_var_run_t:file create_file_perms;
- allow courier_$1_t courier_var_run_t:lnk_file create_lnk_perms;
- allow courier_$1_t courier_var_run_t:sock_file create_file_perms;
+ manage_files_pattern(courier_$1_t,courier_var_run_t,courier_var_run_t)
+ manage_lnk_files_pattern(courier_$1_t,courier_var_run_t,courier_var_run_t)
+ manage_sock_files_pattern(courier_$1_t,courier_var_run_t,courier_var_run_t)
files_search_pids(courier_$1_t)
kernel_read_system_state(courier_$1_t)
@@ -113,10 +112,7 @@ interface(`courier_domtrans_authdaemon',`
type courier_authdaemon_t, courier_authdaemon_exec_t;
')
- domain_auto_trans($1, courier_authdaemon_exec_t, courier_authdaemon_t)
- allow courier_authdaemon_t $1:fd use;
- allow courier_authdaemon_t $1:fifo_file rw_file_perms;
- allow courier_authdaemon_t $1:process sigchld;
+ domtrans_pattern($1, courier_authdaemon_exec_t, courier_authdaemon_t)
')
########################################
@@ -135,8 +131,5 @@ interface(`courier_domtrans_pop',`
type courier_pop_t, courier_pop_exec_t;
')
- domain_auto_trans($1, courier_pop_exec_t, courier_pop_t)
- allow courier_pop_t $1:fd use;
- allow courier_pop_t $1:fifo_file rw_file_perms;
- allow courier_pop_t $1:process sigchld;
+ domtrans_pattern($1, courier_pop_exec_t, courier_pop_t)
')
diff --git a/policy/modules/services/courier.te b/policy/modules/services/courier.te
index ab13cad2..0292cf01 100644
--- a/policy/modules/services/courier.te
+++ b/policy/modules/services/courier.te
@@ -41,7 +41,7 @@ can_exec(courier_authdaemon_t, courier_exec_t)
allow courier_authdaemon_t courier_tcpd_t:fd use;
allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms;
-allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_file_perms;
+allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_fifo_file_perms;
allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms;
allow courier_authdaemon_t courier_tcpd_t:unix_stream_socket rw_stream_socket_perms;
@@ -112,9 +112,8 @@ allow courier_tcpd_t self:capability kill;
can_exec(courier_tcpd_t, courier_exec_t)
-allow courier_tcpd_t courier_var_lib_t:dir rw_dir_perms;
-allow courier_tcpd_t courier_var_lib_t:file manage_file_perms;
-allow courier_tcpd_t courier_var_lib_t:lnk_file create_lnk_perms;
+manage_files_pattern(courier_tcpd_t,courier_var_lib_t,courier_var_lib_t)
+manage_lnk_files_pattern(courier_tcpd_t,courier_var_lib_t,courier_var_lib_t)
files_search_var_lib(courier_tcpd_t)
corecmd_search_sbin(courier_tcpd_t)
diff --git a/policy/modules/services/cpucontrol.te b/policy/modules/services/cpucontrol.te
index cc94f06b..bedc36f1 100644
--- a/policy/modules/services/cpucontrol.te
+++ b/policy/modules/services/cpucontrol.te
@@ -29,9 +29,9 @@ allow cpucontrol_t self:capability { ipc_lock sys_rawio };
dontaudit cpucontrol_t self:capability sys_tty_config;
allow cpucontrol_t self:process signal_perms;
-allow cpucontrol_t cpucontrol_conf_t:dir r_dir_perms;
-allow cpucontrol_t cpucontrol_conf_t:file r_file_perms;
-allow cpucontrol_t cpucontrol_conf_t:lnk_file { getattr read };
+allow cpucontrol_t cpucontrol_conf_t:dir list_dir_perms;
+read_files_pattern(cpucontrol_t,cpucontrol_conf_t,cpucontrol_conf_t)
+read_lnk_files_pattern(cpucontrol_t,cpucontrol_conf_t,cpucontrol_conf_t)
kernel_list_proc(cpucontrol_t)
kernel_read_proc_symlinks(cpucontrol_t)
diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if
index 59d8735c..1c56bb11 100644
--- a/policy/modules/services/cron.if
+++ b/policy/modules/services/cron.if
@@ -64,7 +64,7 @@ template(`cron_per_role_template',`
allow $1_crond_t self:capability dac_override;
allow $1_crond_t self:process { signal_perms setsched };
- allow $1_crond_t self:fifo_file rw_file_perms;
+ allow $1_crond_t self:fifo_file rw_fifo_file_perms;
allow $1_crond_t self:unix_stream_socket create_stream_socket_perms;
allow $1_crond_t self:unix_dgram_socket create_socket_perms;
@@ -149,7 +149,7 @@ template(`cron_per_role_template',`
# userdom_user_home_dir_filetrans_user_home_content($1,$1_crond_t,notdevfile_class_set)
tunable_policy(`fcron_crond', `
- allow crond_t $1_cron_spool_t:file create_file_perms;
+ allow crond_t $1_cron_spool_t:file manage_file_perms;
')
optional_policy(`
@@ -183,30 +183,23 @@ template(`cron_per_role_template',`
allow $1_crontab_t self:process signal_perms;
# Transition from the user domain to the derived domain.
- domain_auto_trans($2, crontab_exec_t, $1_crontab_t)
- allow $2 $1_crontab_t:fd use;
- allow $1_crontab_t $2:fd use;
- allow $1_crontab_t $2:fifo_file rw_file_perms;
- allow $1_crontab_t $2:process sigchld;
+ domtrans_pattern($2, crontab_exec_t, $1_crontab_t)
# crontab shows up in user ps
- allow $2 $1_crontab_t:dir { search getattr read };
- allow $2 $1_crontab_t:{ file lnk_file } { read getattr };
- allow $2 $1_crontab_t:process getattr;
+ ps_process_pattern($2,$1_crontab_t)
# for ^Z
allow $2 $1_crontab_t:process signal;
# Allow crond to read those crontabs in cron spool.
- allow crond_t $1_cron_spool_t:file create_file_perms;
+ allow crond_t $1_cron_spool_t:file manage_file_perms;
allow $1_crontab_t $1_crontab_tmp_t:file manage_file_perms;
files_tmp_filetrans($1_crontab_t,$1_crontab_tmp_t,file)
# create files in /var/spool/cron
- allow $1_crontab_t cron_spool_t:dir rw_dir_perms;
- allow $1_crontab_t $1_cron_spool_t:file manage_file_perms;
- type_transition $1_crontab_t cron_spool_t:file $1_cron_spool_t;
+ manage_files_pattern($1_crontab_t,cron_spool_t,$1_cron_spool_t)
+ filetrans_pattern($1_crontab_t,cron_spool_t,$1_cron_spool_t,file)
files_search_spool($1_crontab_t)
# crontab signals crond by updating the mtime on the spooldir
@@ -394,7 +387,7 @@ interface(`cron_read_pipes',`
type crond_t;
')
- allow $1 crond_t:fifo_file r_file_perms;
+ allow $1 crond_t:fifo_file read_fifo_file_perms;
')
########################################
@@ -467,7 +460,7 @@ interface(`cron_search_spool',`
')
files_search_spool($1)
- allow $1 cron_spool_t:dir search;
+ allow $1 cron_spool_t:dir search_dir_perms;
')
########################################
@@ -485,12 +478,7 @@ interface(`cron_anacron_domtrans_system_job',`
type system_crond_t, anacron_exec_t;
')
- domain_auto_trans($1,anacron_exec_t,system_crond_t)
-
- allow $1 system_crond_t:fd use;
- allow system_crond_t $1:fd use;
- allow system_crond_t $1:fifo_file rw_file_perms;
- allow system_crond_t $1:process sigchld;
+ domtrans_pattern($1,anacron_exec_t,system_crond_t)
')
########################################
@@ -545,7 +533,7 @@ interface(`cron_rw_system_job_pipes',`
type system_crond_t;
')
- allow $1 system_crond_t:fifo_file rw_file_perms;
+ allow $1 system_crond_t:fifo_file rw_fifo_file_perms;
')
########################################
@@ -564,7 +552,7 @@ interface(`cron_read_system_job_tmp_files',`
')
files_search_tmp($1)
- allow $1 system_crond_tmp_t:file r_file_perms;
+ allow $1 system_crond_tmp_t:file read_file_perms;
')
########################################
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
index 3e08b8a0..3a6bc15a 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -77,7 +77,7 @@ dontaudit crond_t self:capability { sys_resource sys_tty_config };
allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow crond_t self:process { setexec setfscreate };
allow crond_t self:fd use;
-allow crond_t self:fifo_file rw_file_perms;
+allow crond_t self:fifo_file rw_fifo_file_perms;
allow crond_t self:unix_dgram_socket create_socket_perms;
allow crond_t self:unix_stream_socket create_stream_socket_perms;
allow crond_t self:unix_dgram_socket sendto;
@@ -88,13 +88,14 @@ allow crond_t self:msgq create_msgq_perms;
allow crond_t self:msg { send receive };
allow crond_t self:key { search write link };
-allow crond_t crond_var_run_t:file create_file_perms;
+allow crond_t crond_var_run_t:file manage_file_perms;
files_pid_filetrans(crond_t,crond_var_run_t,file)
allow crond_t cron_spool_t:dir rw_dir_perms;
-allow crond_t cron_spool_t:file r_file_perms;
-allow crond_t system_cron_spool_t:dir r_dir_perms;
-allow crond_t system_cron_spool_t:file r_file_perms;
+allow crond_t cron_spool_t:file read_file_perms;
+
+allow crond_t system_cron_spool_t:dir list_dir_perms;
+allow crond_t system_cron_spool_t:file read_file_perms;
kernel_read_kernel_sysctls(crond_t)
kernel_search_key(crond_t)
@@ -172,11 +173,11 @@ optional_policy(`
')
ifdef(`targeted_policy',`
- allow crond_t system_crond_tmp_t:dir create_dir_perms;
- allow crond_t system_crond_tmp_t:file create_file_perms;
- allow crond_t system_crond_tmp_t:lnk_file create_lnk_perms;
- allow crond_t system_crond_tmp_t:sock_file create_file_perms;
- allow crond_t system_crond_tmp_t:fifo_file create_file_perms;
+ manage_dirs_pattern(crond_t,system_crond_tmp_t,system_crond_tmp_t)
+ manage_files_pattern(crond_t,system_crond_tmp_t,system_crond_tmp_t)
+ manage_lnk_files_pattern(crond_t,system_crond_tmp_t,system_crond_tmp_t)
+ manage_fifo_files_pattern(crond_t,system_crond_tmp_t,system_crond_tmp_t)
+ manage_sock_files_pattern(crond_t,system_crond_tmp_t,system_crond_tmp_t)
files_tmp_filetrans(crond_t,system_crond_tmp_t,{ dir file lnk_file sock_file fifo_file })
unconfined_domain(crond_t)
@@ -195,13 +196,13 @@ ifdef(`targeted_policy',`
mono_domtrans(crond_t)
')
',`
- allow crond_t crond_tmp_t:dir create_dir_perms;
- allow crond_t crond_tmp_t:file create_file_perms;
+ manage_dirs_pattern(crond_t,crond_tmp_t,crond_tmp_t)
+ manage_files_pattern(crond_t,crond_tmp_t,crond_tmp_t)
files_tmp_filetrans(crond_t, crond_tmp_t, { file dir })
')
tunable_policy(`fcron_crond', `
- allow crond_t system_cron_spool_t:file create_file_perms;
+ allow crond_t system_cron_spool_t:file manage_file_perms;
')
optional_policy(`
@@ -265,7 +266,7 @@ ifdef(`targeted_policy',`
',`
allow system_crond_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid };
allow system_crond_t self:process { signal_perms setsched };
- allow system_crond_t self:fifo_file rw_file_perms;
+ allow system_crond_t self:fifo_file rw_fifo_file_perms;
allow system_crond_t self:passwd rootok;
# The entrypoint interface is not used as this is not
@@ -277,7 +278,7 @@ ifdef(`targeted_policy',`
# for this purpose.
allow system_crond_t system_cron_spool_t:file entrypoint;
- allow system_crond_t system_cron_spool_t:file r_file_perms;
+ allow system_crond_t system_cron_spool_t:file read_file_perms;
# Permit a transition from the crond_t domain to this domain.
# The transition is requested explicitly by the modified crond
@@ -291,21 +292,18 @@ ifdef(`targeted_policy',`
allow system_crond_t crond_t:process sigchld;
# Write /var/lock/makewhatis.lock.
- allow system_crond_t system_crond_lock_t:file create_file_perms;
+ allow system_crond_t system_crond_lock_t:file manage_file_perms;
files_lock_filetrans(system_crond_t,system_crond_lock_t,file)
# write temporary files
- allow system_crond_t system_crond_tmp_t:file manage_file_perms;
- allow system_crond_t system_crond_tmp_t:lnk_file create_lnk_perms;
+ manage_files_pattern(system_crond_t,crond_tmp_t,system_crond_tmp_t)
+ manage_lnk_files_pattern(system_crond_t,crond_tmp_t,system_crond_tmp_t)
+ filetrans_pattern(system_crond_t,crond_tmp_t,system_crond_tmp_t,{ file lnk_file })
files_tmp_filetrans(system_crond_t,system_crond_tmp_t,file)
- # write temporary files in crond tmp dir:
- allow system_crond_t crond_tmp_t:dir rw_dir_perms;
- type_transition system_crond_t crond_tmp_t:{ file lnk_file } system_crond_tmp_t;
-
# Read from /var/spool/cron.
- allow system_crond_t cron_spool_t:dir r_dir_perms;
- allow system_crond_t cron_spool_t:file r_file_perms;
+ allow system_crond_t cron_spool_t:dir list_dir_perms;
+ allow system_crond_t cron_spool_t:file read_file_perms;
kernel_read_kernel_sysctls(system_crond_t)
kernel_read_system_state(system_crond_t)
@@ -397,7 +395,7 @@ ifdef(`targeted_policy',`
')
optional_policy(`
- # Needed for certwatch
+ # Needed for certwatch
apache_exec_modules(system_crond_t)
apache_read_config(system_crond_t)
apache_read_log(system_crond_t)
diff --git a/policy/modules/services/cups.if b/policy/modules/services/cups.if
index e639ffa9..00da5614 100644
--- a/policy/modules/services/cups.if
+++ b/policy/modules/services/cups.if
@@ -15,12 +15,7 @@ interface(`cups_domtrans',`
type cupsd_t, cupsd_exec_t;
')
- domain_auto_trans($1,cupsd_exec_t,cupsd_t)
-
- allow $1 cupsd_t:fd use;
- allow cupsd_t $1:fd use;
- allow cupsd_t $1:fifo_file rw_file_perms;
- allow cupsd_t $1:process sigchld;
+ domtrans_pattern($1,cupsd_exec_t,cupsd_t)
')
########################################
@@ -39,9 +34,7 @@ interface(`cups_stream_connect',`
')
files_search_pids($1)
- allow $1 cupsd_var_run_t:dir search;
- allow $1 cupsd_var_run_t:sock_file { getattr write };
- allow $1 cupsd_t:unix_stream_socket connectto;
+ stream_connect_pattern($1,cupsd_var_run_t,cupsd_var_run_t,cupsd_t)
')
########################################
@@ -95,7 +88,7 @@ interface(`cups_read_pid_files',`
')
files_search_pids($1)
- allow $1 cupsd_var_run_t:file r_file_perms;
+ allow $1 cupsd_var_run_t:file read_file_perms;
')
########################################
@@ -113,12 +106,7 @@ interface(`cups_domtrans_config',`
type cupsd_config_t, cupsd_config_exec_t;
')
- domain_auto_trans($1,cupsd_config_exec_t,cupsd_config_t)
-
- allow $1 cupsd_config_t:fd use;
- allow cupsd_config_t $1:fd use;
- allow cupsd_config_t $1:fifo_file rw_file_perms;
- allow cupsd_config_t $1:process sigchld;
+ domtrans_pattern($1,cupsd_config_exec_t,cupsd_config_t)
')
########################################
@@ -178,9 +166,8 @@ interface(`cups_read_config',`
')
files_search_etc($1)
- allow $1 cupsd_etc_t:dir search_dir_perms;
- allow $1 cupsd_etc_t:file { getattr read };
- allow $1 cupsd_rw_etc_t:file { getattr read };
+ read_files_pattern($1,cupsd_etc_t,cupsd_etc_t)
+ read_files_pattern($1,cupsd_etc_t,cupsd_rw_etc_t)
')
########################################
@@ -200,8 +187,7 @@ interface(`cups_read_rw_config',`
')
files_search_etc($1)
- allow $1 cupsd_etc_t:dir search_dir_perms;
- allow $1 cupsd_rw_etc_t:file { getattr read };
+ read_files_pattern($1,cupsd_etc_t,cupsd_rw_etc_t)
')
########################################
@@ -259,7 +245,5 @@ interface(`cups_stream_connect_ptal',`
')
files_search_pids($1)
- allow $1 ptal_var_run_t:dir search;
- allow $1 ptal_var_run_t:sock_file write;
- allow $1 ptal_t:unix_stream_socket connectto;
+ stream_connect_pattern($1,ptal_var_run_t,ptal_var_run_t,ptal_t)
')
diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te
index 1960ed6b..36a8680d 100644
--- a/policy/modules/services/cups.te
+++ b/policy/modules/services/cups.te
@@ -81,13 +81,12 @@ ifdef(`enable_mls',`
#
# /usr/lib/cups/backend/serial needs sys_admin(?!)
-allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_resource sys_tty_config audit_write };
+allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_resource sys_tty_config };
dontaudit cupsd_t self:capability { sys_tty_config net_admin };
allow cupsd_t self:process { setsched signal_perms };
allow cupsd_t self:fifo_file rw_file_perms;
allow cupsd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow cupsd_t self:unix_dgram_socket create_socket_perms;
-allow cupsd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
allow cupsd_t self:netlink_selinux_socket create_socket_perms;
allow cupsd_t self:netlink_route_socket r_netlink_socket_perms;
allow cupsd_t self:tcp_socket create_stream_socket_perms;
@@ -96,14 +95,16 @@ allow cupsd_t self:appletalk_socket create_socket_perms;
# generic socket here until appletalk socket is available in kernels
allow cupsd_t self:socket create_socket_perms;
-allow cupsd_t cupsd_etc_t:file { r_file_perms setattr };
-allow cupsd_t cupsd_etc_t:dir { rw_dir_perms setattr };
-allow cupsd_t cupsd_etc_t:lnk_file { getattr read };
+send_audit_msgs_pattern(cupsd_t)
+
+allow cupsd_t cupsd_etc_t:{ dir file } setattr;
+read_files_pattern(cupsd_t,cupsd_etc_t,cupsd_etc_t)
+read_lnk_files_pattern(cupsd_t,cupsd_etc_t,cupsd_etc_t)
files_search_etc(cupsd_t)
-allow cupsd_t cupsd_rw_etc_t:file manage_file_perms;
-allow cupsd_t cupsd_rw_etc_t:dir manage_dir_perms;
-type_transition cupsd_t cupsd_etc_t:file cupsd_rw_etc_t;
+manage_dirs_pattern(cupsd_t,cupsd_etc_t,cupsd_rw_etc_t)
+manage_files_pattern(cupsd_t,cupsd_etc_t,cupsd_rw_etc_t)
+filetrans_pattern(cupsd_t,cupsd_etc_t,cupsd_rw_etc_t,file)
files_var_filetrans(cupsd_t,cupsd_rw_etc_t,{ dir file })
# allow cups to execute its backend scripts
@@ -111,28 +112,26 @@ can_exec(cupsd_t, cupsd_exec_t)
allow cupsd_t cupsd_exec_t:dir search;
allow cupsd_t cupsd_exec_t:lnk_file read;
-allow cupsd_t cupsd_log_t:file create_file_perms;
-allow cupsd_t cupsd_log_t:dir { setattr rw_dir_perms };
+manage_files_pattern(cupsd_t,cupsd_log_t,cupsd_log_t)
+allow cupsd_t cupsd_log_t:dir setattr;
logging_log_filetrans(cupsd_t,cupsd_log_t,{ file dir })
-allow cupsd_t cupsd_tmp_t:dir create_dir_perms;
-allow cupsd_t cupsd_tmp_t:file create_file_perms;
-allow cupsd_t cupsd_tmp_t:fifo_file create_file_perms;
+manage_dirs_pattern(cupsd_t,cupsd_tmp_t,cupsd_tmp_t)
+manage_files_pattern(cupsd_t,cupsd_tmp_t,cupsd_tmp_t)
+manage_fifo_files_pattern(cupsd_t,cupsd_tmp_t,cupsd_tmp_t)
files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file })
-allow cupsd_t cupsd_var_run_t:file create_file_perms;
-allow cupsd_t cupsd_var_run_t:dir { setattr rw_dir_perms };
-allow cupsd_t cupsd_var_run_t:sock_file create_file_perms;
+allow cupsd_t cupsd_var_run_t:dir setattr;
+manage_files_pattern(cupsd_t,cupsd_var_run_t,cupsd_var_run_t)
+manage_sock_files_pattern(cupsd_t,cupsd_var_run_t,cupsd_var_run_t)
files_pid_filetrans(cupsd_t,cupsd_var_run_t,file)
-allow cupsd_t hplip_etc_t:file r_file_perms;
-allow cupsd_t hplip_etc_t:dir r_dir_perms;
+read_files_pattern(cupsd_t,hplip_etc_t,hplip_etc_t)
allow cupsd_t hplip_var_run_t:file { read getattr };
-allow cupsd_t ptal_var_run_t:dir search;
-allow cupsd_t ptal_var_run_t:sock_file { write setattr };
-allow cupsd_t ptal_t:unix_stream_socket connectto;
+stream_connect_pattern(cupsd_t,ptal_var_run_t,ptal_var_run_t,ptal_t)
+allow cupsd_t ptal_var_run_t : sock_file setattr;
kernel_read_system_state(cupsd_t)
kernel_read_network_state(cupsd_t)
@@ -312,42 +311,35 @@ optional_policy(`
allow cupsd_config_t self:capability { chown sys_tty_config };
dontaudit cupsd_config_t self:capability sys_tty_config;
allow cupsd_config_t self:process signal_perms;
-allow cupsd_config_t self:fifo_file rw_file_perms;
+allow cupsd_config_t self:fifo_file rw_fifo_file_perms;
allow cupsd_config_t self:unix_stream_socket create_socket_perms;
allow cupsd_config_t self:unix_dgram_socket create_socket_perms;
allow cupsd_config_t self:tcp_socket create_stream_socket_perms;
allow cupsd_config_t self:netlink_route_socket r_netlink_socket_perms;
-# old can_ps() on cupsd_t:
-allow cupsd_config_t cupsd_t:process { signal };
-allow cupsd_config_t cupsd_t:{ file lnk_file } { getattr read };
-allow cupsd_config_t cupsd_t:dir { search getattr read };
-allow cupsd_config_t cupsd_t:{ file lnk_file } { read getattr };
-allow cupsd_config_t cupsd_t:process getattr;
+allow cupsd_config_t cupsd_t:process signal;
+ps_process_pattern(cupsd_config_t,cupsd_t)
-allow cupsd_config_t cupsd_config_var_run_t:file create_file_perms;
-allow cupsd_config_t cupsd_config_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(cupsd_config_t,cupsd_config_var_run_t,file)
+manage_files_pattern(cupsd_config_t,cupsd_etc_t,cupsd_etc_t)
+manage_lnk_files_pattern(cupsd_config_t,cupsd_etc_t,cupsd_etc_t)
+filetrans_pattern(cupsd_config_t,cupsd_etc_t,cupsd_rw_etc_t,file)
+
+manage_files_pattern(cupsd_config_t,cupsd_rw_etc_t,cupsd_rw_etc_t)
+manage_lnk_files_pattern(cupsd_config_t,cupsd_rw_etc_t,cupsd_rw_etc_t)
+files_var_filetrans(cupsd_config_t,cupsd_rw_etc_t,file)
can_exec(cupsd_config_t, cupsd_config_exec_t)
-allow cupsd_config_t cupsd_etc_t:dir rw_dir_perms;
-allow cupsd_config_t cupsd_etc_t:file create_file_perms;
-allow cupsd_config_t cupsd_etc_t:lnk_file create_lnk_perms;
-type_transition cupsd_config_t cupsd_etc_t:file cupsd_rw_etc_t;
-
allow cupsd_config_t cupsd_log_t:file rw_file_perms;
-allow cupsd_config_t cupsd_rw_etc_t:dir rw_dir_perms;
-allow cupsd_config_t cupsd_rw_etc_t:file manage_file_perms;
-allow cupsd_config_t cupsd_rw_etc_t:lnk_file create_lnk_perms;
-files_var_filetrans(cupsd_config_t,cupsd_rw_etc_t,file)
-
-allow cupsd_config_t cupsd_tmp_t:file create_file_perms;
+allow cupsd_config_t cupsd_tmp_t:file manage_file_perms;
files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { file dir })
allow cupsd_config_t cupsd_var_run_t:file { getattr read };
+manage_files_pattern(cupsd_config_t,cupsd_config_var_run_t,cupsd_config_var_run_t)
+files_pid_filetrans(cupsd_config_t,cupsd_config_var_run_t,file)
+
kernel_read_system_state(cupsd_config_t)
kernel_read_kernel_sysctls(cupsd_config_t)
@@ -473,7 +465,7 @@ optional_policy(`
#
allow cupsd_lpd_t self:process signal_perms;
-allow cupsd_lpd_t self:fifo_file rw_file_perms;
+allow cupsd_lpd_t self:fifo_file rw_fifo_file_perms;
allow cupsd_lpd_t self:tcp_socket connected_stream_socket_perms;
allow cupsd_lpd_t self:udp_socket create_socket_perms;
allow cupsd_lpd_t self:netlink_route_socket r_netlink_socket_perms;
@@ -489,20 +481,19 @@ optional_policy(`
#end for identd
allow cupsd_lpd_t cupsd_etc_t:dir list_dir_perms;
-allow cupsd_lpd_t cupsd_etc_t:file r_file_perms;
-allow cupsd_lpd_t cupsd_etc_t:lnk_file { getattr read };
-
-allow cupsd_lpd_t cupsd_lpd_tmp_t:dir create_dir_perms;
-allow cupsd_lpd_t cupsd_lpd_tmp_t:file create_file_perms;
-files_tmp_filetrans(cupsd_lpd_t, cupsd_lpd_tmp_t, { file dir })
-
-allow cupsd_lpd_t cupsd_lpd_var_run_t:file create_file_perms;
-allow cupsd_lpd_t cupsd_lpd_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(cupsd_lpd_t,cupsd_lpd_var_run_t,file)
+read_files_pattern(cupsd_lpd_t,cupsd_etc_t,cupsd_etc_t)
+read_lnk_files_pattern(cupsd_lpd_t,cupsd_etc_t,cupsd_etc_t)
allow cupsd_lpd_t cupsd_rw_etc_t:dir list_dir_perms;
-allow cupsd_lpd_t cupsd_rw_etc_t:file r_file_perms;
-allow cupsd_lpd_t cupsd_rw_etc_t:lnk_file { getattr read };
+read_files_pattern(cupsd_lpd_t,cupsd_rw_etc_t,cupsd_rw_etc_t)
+read_lnk_files_pattern(cupsd_lpd_t,cupsd_rw_etc_t,cupsd_rw_etc_t)
+
+manage_dirs_pattern(cupsd_lpd_t,cupsd_lpd_tmp_t,cupsd_lpd_tmp_t)
+manage_files_pattern(cupsd_lpd_t,cupsd_lpd_tmp_t,cupsd_lpd_tmp_t)
+files_tmp_filetrans(cupsd_lpd_t, cupsd_lpd_tmp_t, { file dir })
+
+manage_files_pattern(cupsd_lpd_t,cupsd_lpd_var_run_t,cupsd_lpd_var_run_t)
+files_pid_filetrans(cupsd_lpd_t,cupsd_lpd_var_run_t,file)
kernel_read_kernel_sysctls(cupsd_lpd_t)
kernel_read_system_state(cupsd_lpd_t)
@@ -557,7 +548,7 @@ optional_policy(`
# Needed for USB Scanneer and xsane
allow hplip_t self:capability { dac_override dac_read_search net_raw };
dontaudit hplip_t self:capability sys_tty_config;
-allow hplip_t self:fifo_file rw_file_perms;
+allow hplip_t self:fifo_file rw_fifo_file_perms;
allow hplip_t self:process signal_perms;
allow hplip_t self:unix_dgram_socket create_socket_perms;
allow hplip_t self:unix_stream_socket create_socket_perms;
@@ -570,13 +561,12 @@ allow hplip_t cupsd_etc_t:dir search;
cups_stream_connect(hplip_t)
-allow hplip_t hplip_etc_t:file r_file_perms;
-allow hplip_t hplip_etc_t:dir r_dir_perms;
-allow hplip_t hplip_etc_t:lnk_file { getattr read };
+allow hplip_t hplip_etc_t:dir list_dir_perms;
+read_files_pattern(hplip_t,hplip_etc_t,hplip_etc_t)
+read_lnk_files_pattern(hplip_t,hplip_etc_t,hplip_etc_t)
files_search_etc(hplip_t)
-allow hplip_t hplip_var_run_t:file create_file_perms;
-allow hplip_t hplip_var_run_t:dir rw_dir_perms;
+manage_files_pattern(hplip_t,hplip_var_run_t,hplip_var_run_t)
files_pid_filetrans(hplip_t,hplip_var_run_t,file)
kernel_read_system_state(hplip_t)
@@ -664,27 +654,23 @@ optional_policy(`
allow ptal_t self:capability { chown sys_rawio };
dontaudit ptal_t self:capability sys_tty_config;
-allow ptal_t self:fifo_file rw_file_perms;
+allow ptal_t self:fifo_file rw_fifo_file_perms;
allow ptal_t self:unix_dgram_socket create_socket_perms;
allow ptal_t self:unix_stream_socket create_stream_socket_perms;
allow ptal_t self:tcp_socket create_stream_socket_perms;
-allow ptal_t ptal_etc_t:file r_file_perms;
-allow ptal_t ptal_etc_t:dir r_dir_perms;
-allow ptal_t ptal_etc_t:lnk_file { getattr read };
+allow ptal_t ptal_etc_t:dir list_dir_perms;
+read_files_pattern(ptal_t,ptal_etc_t,ptal_etc_t)
+read_lnk_files_pattern(ptal_t,ptal_etc_t,ptal_etc_t)
files_search_etc(ptal_t)
-allow ptal_t ptal_var_run_t:dir create_dir_perms;
-allow ptal_t ptal_var_run_t:file create_file_perms;
-allow ptal_t ptal_var_run_t:lnk_file create_lnk_perms;
-allow ptal_t ptal_var_run_t:sock_file create_file_perms;
-allow ptal_t ptal_var_run_t:fifo_file create_file_perms;
+manage_dirs_pattern(ptal_t,ptal_var_run_t,ptal_var_run_t)
+manage_files_pattern(ptal_t,ptal_var_run_t,ptal_var_run_t)
+manage_lnk_files_pattern(ptal_t,ptal_var_run_t,ptal_var_run_t)
+manage_fifo_files_pattern(ptal_t,ptal_var_run_t,ptal_var_run_t)
+manage_sock_files_pattern(ptal_t,ptal_var_run_t,ptal_var_run_t)
files_pid_filetrans(ptal_t,ptal_var_run_t,{ dir file lnk_file sock_file fifo_file })
-allow ptal_t ptal_var_run_t:file create_file_perms;
-allow ptal_t ptal_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(ptal_t,ptal_var_run_t,file)
-
kernel_read_kernel_sysctls(ptal_t)
kernel_list_proc(ptal_t)
kernel_read_proc_symlinks(ptal_t)
diff --git a/policy/modules/services/cvs.if b/policy/modules/services/cvs.if
index 380a139a..5d2de399 100644
--- a/policy/modules/services/cvs.if
+++ b/policy/modules/services/cvs.if
@@ -36,4 +36,3 @@ interface(`cvs_exec',`
can_exec($1,cvs_exec_t)
')
-
diff --git a/policy/modules/services/cvs.te b/policy/modules/services/cvs.te
index a0ff5be5..c45ec7f2 100644
--- a/policy/modules/services/cvs.te
+++ b/policy/modules/services/cvs.te
@@ -26,22 +26,21 @@ files_pid_file(cvs_var_run_t)
#
allow cvs_t self:process signal_perms;
-allow cvs_t self:fifo_file rw_file_perms;
+allow cvs_t self:fifo_file rw_fifo_file_perms;
allow cvs_t self:tcp_socket connected_stream_socket_perms;
# for identd; cjp: this should probably only be inetd_child rules?
allow cvs_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow cvs_t self:capability { setuid setgid };
-allow cvs_t cvs_data_t:dir create_dir_perms;
-allow cvs_t cvs_data_t:file create_file_perms;
-allow cvs_t cvs_data_t:lnk_file create_lnk_perms;
+manage_dirs_pattern(cvs_t,cvs_data_t,cvs_data_t)
+manage_files_pattern(cvs_t,cvs_data_t,cvs_data_t)
+manage_lnk_files_pattern(cvs_t,cvs_data_t,cvs_data_t,cvs_data_t)
-allow cvs_t cvs_tmp_t:dir create_dir_perms;
-allow cvs_t cvs_tmp_t:file create_file_perms;
+manage_dirs_pattern(cvs_t,cvs_tmp_t,cvs_tmp_t)
+manage_files_pattern(cvs_t,cvs_tmp_t,cvs_tmp_t)
files_tmp_filetrans(cvs_t, cvs_tmp_t, { file dir })
-allow cvs_t cvs_var_run_t:file create_file_perms;
-allow cvs_t cvs_var_run_t:dir rw_dir_perms;
+manage_files_pattern(cvs_t,cvs_var_run_t,cvs_var_run_t)
files_pid_filetrans(cvs_t,cvs_var_run_t,file)
kernel_read_kernel_sysctls(cvs_t)
diff --git a/policy/modules/services/cyrus.if b/policy/modules/services/cyrus.if
index 30d552e5..c7e26a8d 100644
--- a/policy/modules/services/cyrus.if
+++ b/policy/modules/services/cyrus.if
@@ -17,8 +17,7 @@ interface(`cyrus_manage_data',`
')
files_search_var_lib($1)
- allow $1 cyrus_var_lib_t:dir rw_dir_perms;
- allow $1 cyrus_var_lib_t:file manage_file_perms;
+ manage_files_pattern($1,cyrus_var_lib_t,cyrus_var_lib_t)
')
@@ -38,7 +37,5 @@ interface(`cyrus_stream_connect',`
')
files_search_var_lib($1)
- allow $1 cyrus_var_lib_t:dir search;
- allow $1 cyrus_var_lib_t:sock_file write;
- allow $1 cyrus_t:unix_stream_socket connectto;
+ stream_connect_pattern($1,cyrus_var_lib_t,cyrus_var_lib_t,cyrus_t)
')
diff --git a/policy/modules/services/cyrus.te b/policy/modules/services/cyrus.te
index 48e2c41b..3acb6267 100644
--- a/policy/modules/services/cyrus.te
+++ b/policy/modules/services/cyrus.te
@@ -29,8 +29,8 @@ dontaudit cyrus_t self:capability sys_tty_config;
allow cyrus_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow cyrus_t self:process setrlimit;
allow cyrus_t self:fd use;
-allow cyrus_t self:fifo_file rw_file_perms;
-allow cyrus_t self:sock_file r_file_perms;
+allow cyrus_t self:fifo_file rw_fifo_file_perms;
+allow cyrus_t self:sock_file read_sock_file_perms;
allow cyrus_t self:shm create_shm_perms;
allow cyrus_t self:sem create_sem_perms;
allow cyrus_t self:msgq create_msgq_perms;
@@ -43,17 +43,18 @@ allow cyrus_t self:tcp_socket create_stream_socket_perms;
allow cyrus_t self:udp_socket create_socket_perms;
allow cyrus_t self:netlink_route_socket r_netlink_socket_perms;
-allow cyrus_t cyrus_tmp_t:dir create_dir_perms;
-allow cyrus_t cyrus_tmp_t:file create_file_perms;
+manage_dirs_pattern(cyrus_t,cyrus_tmp_t,cyrus_tmp_t)
+manage_files_pattern(cyrus_t,cyrus_tmp_t,cyrus_tmp_t)
files_tmp_filetrans(cyrus_t, cyrus_tmp_t, { file dir })
-allow cyrus_t cyrus_var_lib_t:dir create_dir_perms;
-allow cyrus_t cyrus_var_lib_t:{file sock_file lnk_file} create_file_perms;
+manage_dirs_pattern(cyrus_t,cyrus_var_lib_t,cyrus_var_lib_t)
+manage_files_pattern(cyrus_t,cyrus_var_lib_t,cyrus_var_lib_t)
+manage_lnk_files_pattern(cyrus_t,cyrus_var_lib_t,cyrus_var_lib_t)
+manage_sock_files_pattern(cyrus_t,cyrus_var_lib_t,cyrus_var_lib_t)
files_pid_filetrans(cyrus_t,cyrus_var_run_t,file)
-allow cyrus_t cyrus_var_run_t:dir rw_dir_perms;
-allow cyrus_t cyrus_var_run_t:sock_file create_file_perms;
-allow cyrus_t cyrus_var_run_t:file create_file_perms;
+manage_files_pattern(cyrus_t,cyrus_var_run_t,cyrus_var_run_t)
+manage_sock_files_pattern(cyrus_t,cyrus_var_run_t,cyrus_var_run_t)
files_pid_filetrans(cyrus_t,cyrus_var_run_t,{ file sock_file })
kernel_read_kernel_sysctls(cyrus_t)
diff --git a/policy/modules/services/dante.te b/policy/modules/services/dante.te
index 7a15ea21..2eb457d2 100644
--- a/policy/modules/services/dante.te
+++ b/policy/modules/services/dante.te
@@ -28,11 +28,10 @@ allow dante_t self:fifo_file { read write };
allow dante_t self:tcp_socket create_stream_socket_perms;
allow dante_t self:udp_socket create_socket_perms;
-allow dante_t dante_conf_t:dir r_dir_perms;
-allow dante_t dante_conf_t:file r_file_perms;
+allow dante_t dante_conf_t:dir list_dir_perms;
+allow dante_t dante_conf_t:file read_file_perms;
-allow dante_t dante_var_run_t:file create_file_perms;
-allow dante_t dante_var_run_t:dir rw_dir_perms;
+manage_files_pattern(dante_t,dante_var_run_t,dante_var_run_t)
files_pid_filetrans(dante_t,dante_var_run_t,file)
kernel_read_kernel_sysctls(dante_t)
diff --git a/policy/modules/services/dbskk.te b/policy/modules/services/dbskk.te
index c0b25602..27b5d93b 100644
--- a/policy/modules/services/dbskk.te
+++ b/policy/modules/services/dbskk.te
@@ -23,7 +23,7 @@ files_pid_file(dbskkd_var_run_t)
#
allow dbskkd_t self:process signal_perms;
-allow dbskkd_t self:fifo_file rw_file_perms;
+allow dbskkd_t self:fifo_file rw_fifo_file_perms;
allow dbskkd_t self:tcp_socket connected_stream_socket_perms;
allow dbskkd_t self:udp_socket create_socket_perms;
@@ -37,12 +37,11 @@ optional_policy(`
')
#end for identd
-allow dbskkd_t dbskkd_tmp_t:dir create_dir_perms;
-allow dbskkd_t dbskkd_tmp_t:file create_file_perms;
+manage_dirs_pattern(dbskkd_t,dbskkd_tmp_t,dbskkd_tmp_t)
+manage_files_pattern(dbskkd_t,dbskkd_tmp_t,dbskkd_tmp_t)
files_tmp_filetrans(dbskkd_t, dbskkd_tmp_t, { file dir })
-allow dbskkd_t dbskkd_var_run_t:file create_file_perms;
-allow dbskkd_t dbskkd_var_run_t:dir rw_dir_perms;
+manage_files_pattern(dbskkd_t,dbskkd_var_run_t,dbskkd_var_run_t)
files_pid_filetrans(dbskkd_t,dbskkd_var_run_t,file)
kernel_read_kernel_sysctls(dbskkd_t)
diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
index f9714825..4dca3f62 100644
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -69,16 +69,16 @@ template(`dbus_per_role_template',`
# Local policy
#
- allow $1_dbusd_t self:capability audit_write;
allow $1_dbusd_t self:process { getattr sigkill signal };
allow $1_dbusd_t self:file { getattr read write };
allow $1_dbusd_t self:dbus { send_msg acquire_svc };
allow $1_dbusd_t self:unix_stream_socket create_stream_socket_perms;
allow $1_dbusd_t self:unix_dgram_socket create_socket_perms;
allow $1_dbusd_t self:tcp_socket create_stream_socket_perms;
- allow $1_dbusd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
allow $1_dbusd_t self:netlink_selinux_socket create_socket_perms;
+ send_audit_msgs_pattern($1_dbusd_t)
+
# For connecting to the bus
allow $2 $1_dbusd_t:unix_stream_socket connectto;
type_change $2 $1_dbusd_t:dbus $1_dbusd_$1_t;
@@ -88,20 +88,15 @@ template(`dbus_per_role_template',`
allow $2 $1_dbusd_t:dbus { send_msg acquire_svc };
allow $1_t system_dbusd_t:dbus { send_msg acquire_svc };
- allow $1_dbusd_t dbusd_etc_t:dir r_dir_perms;
- allow $1_dbusd_t dbusd_etc_t:file r_file_perms;
- allow $1_dbusd_t dbusd_etc_t:lnk_file { getattr read };
+ allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms;
+ read_files_pattern($1_dbusd_t,dbusd_etc_t,dbusd_etc_t)
+ read_lnk_files_pattern($1_dbusd_t,dbusd_etc_t,dbusd_etc_t)
- allow $1_dbusd_t $1_dbusd_tmp_t:dir create_dir_perms;
- allow $1_dbusd_t $1_dbusd_tmp_t:file create_file_perms;
+ manage_dirs_pattern($1_dbusd_t,$1_dbusd_tmp_t,$1_dbusd_tmp_t)
+ manage_files_pattern($1_dbusd_t,$1_dbusd_tmp_t,$1_dbusd_tmp_t)
files_tmp_filetrans($1_dbusd_t, $1_dbusd_tmp_t, { file dir })
- domain_auto_trans($2, system_dbusd_exec_t, $1_dbusd_t)
- allow $2 $1_dbusd_t:fd use;
- allow $1_dbusd_t $2:fd use;
- allow $1_dbusd_t $2:fifo_file rw_file_perms;
- allow $1_dbusd_t $2:process sigchld;
-
+ domtrans_pattern($2, system_dbusd_exec_t, $1_dbusd_t)
allow $2 $1_dbusd_t:process { sigkill signal };
kernel_read_system_state($1_dbusd_t)
@@ -207,9 +202,7 @@ template(`dbus_system_bus_client_template',`
# For connecting to the bus
files_search_pids($2)
- allow $2 system_dbusd_var_run_t:dir search;
- allow $2 system_dbusd_var_run_t:sock_file write;
- allow $2 system_dbusd_t:unix_stream_socket connectto;
+ stream_connect_pattern($2,system_dbusd_var_run_t,system_dbusd_var_run_t,system_dbusd_t)
')
#######################################
@@ -292,7 +285,7 @@ interface(`dbus_read_config',`
type dbusd_etc_t;
')
- allow $1 dbusd_etc_t:file r_file_perms;
+ allow $1 dbusd_etc_t:file read_file_perms;
')
########################################
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index c81ed90b..4d712849 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -30,28 +30,28 @@ files_pid_file(system_dbusd_var_run_t)
# dac_override: /var/run/dbus is owned by messagebus on Debian
# cjp: dac_override should probably go in a distro_debian
-allow system_dbusd_t self:capability { dac_override setgid setpcap setuid audit_write };
+allow system_dbusd_t self:capability { dac_override setgid setpcap setuid };
dontaudit system_dbusd_t self:capability sys_tty_config;
allow system_dbusd_t self:process { getattr signal_perms setcap };
allow system_dbusd_t self:fifo_file { read write };
allow system_dbusd_t self:dbus { send_msg acquire_svc };
allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto };
allow system_dbusd_t self:unix_dgram_socket create_socket_perms;
-allow system_dbusd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
# Receive notifications of policy reloads and enforcing status changes.
allow system_dbusd_t self:netlink_selinux_socket { create bind read };
-allow system_dbusd_t dbusd_etc_t:dir r_dir_perms;
-allow system_dbusd_t dbusd_etc_t:file r_file_perms;
-allow system_dbusd_t dbusd_etc_t:lnk_file { getattr read };
+send_audit_msgs_pattern(system_dbusd_t)
-allow system_dbusd_t system_dbusd_tmp_t:dir create_dir_perms;
-allow system_dbusd_t system_dbusd_tmp_t:file create_file_perms;
+allow system_dbusd_t dbusd_etc_t:dir list_dir_perms;
+read_files_pattern(system_dbusd_t,dbusd_etc_t,dbusd_etc_t)
+read_lnk_files_pattern(system_dbusd_t,dbusd_etc_t,dbusd_etc_t)
+
+manage_dirs_pattern(system_dbusd_t,system_dbusd_tmp_t,system_dbusd_tmp_t)
+manage_files_pattern(system_dbusd_t,system_dbusd_tmp_t,system_dbusd_tmp_t)
files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir })
-allow system_dbusd_t system_dbusd_var_run_t:file create_file_perms;
-allow system_dbusd_t system_dbusd_var_run_t:sock_file create_file_perms;
-allow system_dbusd_t system_dbusd_var_run_t:dir rw_dir_perms;
+manage_files_pattern(system_dbusd_t,system_dbusd_var_run_t,system_dbusd_var_run_t)
+manage_sock_files_pattern(system_dbusd_t,system_dbusd_var_run_t,system_dbusd_var_run_t)
files_pid_filetrans(system_dbusd_t,system_dbusd_var_run_t,file)
kernel_read_system_state(system_dbusd_t)
diff --git a/policy/modules/services/dcc.if b/policy/modules/services/dcc.if
index 0f3a2730..867ee4cc 100644
--- a/policy/modules/services/dcc.if
+++ b/policy/modules/services/dcc.if
@@ -16,10 +16,7 @@ interface(`dcc_domtrans_cdcc',`
')
corecmd_search_sbin($1)
- domain_auto_trans($1,cdcc_exec_t,cdcc_t)
- allow cdcc_t $1:fd use;
- allow cdcc_t $1:fifo_file rw_file_perms;
- allow cdcc_t $1:process sigchld;
+ domtrans_pattern($1,cdcc_exec_t,cdcc_t)
')
########################################
@@ -70,10 +67,7 @@ interface(`dcc_domtrans_client',`
')
corecmd_search_sbin($1)
- domain_auto_trans($1,dcc_client_exec_t,dcc_client_t)
- allow dcc_client_t $1:fd use;
- allow dcc_client_t $1:fifo_file rw_file_perms;
- allow dcc_client_t $1:process sigchld;
+ domtrans_pattern($1,dcc_client_exec_t,dcc_client_t)
')
########################################
@@ -124,10 +118,7 @@ interface(`dcc_domtrans_dbclean',`
')
corecmd_search_sbin($1)
- domain_auto_trans($1,dcc_dbclean_exec_t,dcc_dbclean_t)
- allow dcc_dbclean_t $1:fd use;
- allow dcc_dbclean_t $1:fifo_file rw_file_perms;
- allow dcc_dbclean_t $1:process sigchld;
+ domtrans_pattern($1,dcc_dbclean_exec_t,dcc_dbclean_t)
')
########################################
@@ -178,7 +169,5 @@ interface(`dcc_stream_connect_dccifd',`
')
files_search_var($1)
- allow $1 dcc_var_t:dir search;
- allow $1 dccifd_var_run_t:sock_file { getattr write };
- allow $1 dccifd_t:unix_stream_socket connectto;
+ stream_connect_pattern($1,dcc_var_t,dccifd_var_run_t,dccifd_t)
')
diff --git a/policy/modules/services/dcc.te b/policy/modules/services/dcc.te
index edafebc1..52723ce3 100644
--- a/policy/modules/services/dcc.te
+++ b/policy/modules/services/dcc.te
@@ -88,16 +88,16 @@ allow cdcc_t self:capability setuid;
allow cdcc_t self:unix_dgram_socket create_socket_perms;
allow cdcc_t self:udp_socket create_socket_perms;
-allow cdcc_t cdcc_tmp_t:dir manage_dir_perms;
-allow cdcc_t cdcc_tmp_t:file create_file_perms;
+manage_dirs_pattern(cdcc_t,cdcc_tmp_t,cdcc_tmp_t)
+manage_files_pattern(cdcc_t,cdcc_tmp_t,cdcc_tmp_t)
files_tmp_filetrans(cdcc_t, cdcc_tmp_t, { file dir })
allow cdcc_t dcc_client_map_t:file rw_file_perms;
# Access files in /var/dcc. The map file can be updated
-allow cdcc_t dcc_var_t:dir r_dir_perms;
-allow cdcc_t dcc_var_t:file r_file_perms;
-allow cdcc_t dcc_var_t:lnk_file { getattr read };
+allow cdcc_t dcc_var_t:dir list_dir_perms;
+read_files_pattern(cdcc_t,dcc_var_t,dcc_var_t)
+read_lnk_files_pattern(cdcc_t,dcc_var_t,dcc_var_t)
corenet_non_ipsec_sendrecv(cdcc_t)
corenet_udp_sendrecv_generic_if(cdcc_t)
@@ -132,14 +132,14 @@ allow dcc_client_t self:udp_socket create_socket_perms;
allow dcc_client_t dcc_client_map_t:file rw_file_perms;
-allow dcc_client_t dcc_client_tmp_t:dir manage_dir_perms;
-allow dcc_client_t dcc_client_tmp_t:file create_file_perms;
+manage_dirs_pattern(dcc_client_t,dcc_client_tmp_t,dcc_client_tmp_t)
+manage_files_pattern(dcc_client_t,dcc_client_tmp_t,dcc_client_tmp_t)
files_tmp_filetrans(dcc_client_t, dcc_client_tmp_t, { file dir })
# Access files in /var/dcc. The map file can be updated
-allow dcc_client_t dcc_var_t:dir r_dir_perms;
-allow dcc_client_t dcc_var_t:file r_file_perms;
-allow dcc_client_t dcc_var_t:lnk_file { getattr read };
+allow dcc_client_t dcc_var_t:dir list_dir_perms;
+read_files_pattern(dcc_client_t,dcc_var_t,dcc_var_t)
+read_lnk_files_pattern(dcc_client_t,dcc_var_t,dcc_var_t)
corenet_non_ipsec_sendrecv(dcc_client_t)
corenet_udp_sendrecv_generic_if(dcc_client_t)
@@ -173,13 +173,13 @@ allow dcc_dbclean_t self:udp_socket create_socket_perms;
allow dcc_dbclean_t dcc_client_map_t:file rw_file_perms;
-allow dcc_dbclean_t dcc_dbclean_tmp_t:dir manage_dir_perms;
-allow dcc_dbclean_t dcc_dbclean_tmp_t:file create_file_perms;
+manage_dirs_pattern(dcc_dbclean_t,dcc_dbclean_tmp_t,dcc_dbclean_tmp_t)
+manage_files_pattern(dcc_dbclean_t,dcc_dbclean_tmp_t,dcc_dbclean_tmp_t)
files_tmp_filetrans(dcc_dbclean_t, dcc_dbclean_tmp_t, { file dir })
-allow dcc_dbclean_t dcc_var_t:dir manage_dir_perms;
-allow dcc_dbclean_t dcc_var_t:file manage_file_perms;
-allow dcc_dbclean_t dcc_var_t:lnk_file create_lnk_perms;
+manage_dirs_pattern(dcc_dbclean_t,dcc_var_t,dcc_var_t)
+manage_files_pattern(dcc_dbclean_t,dcc_var_t,dcc_var_t)
+manage_lnk_files_pattern(dcc_dbclean_t,dcc_var_t,dcc_var_t)
kernel_read_system_state(dcc_dbclean_t)
@@ -220,28 +220,24 @@ allow dccd_t self:udp_socket create_socket_perms;
allow dccd_t dcc_client_map_t:file rw_file_perms;
# Access files in /var/dcc. The map file can be updated
-allow dccd_t dcc_var_t:dir r_dir_perms;
-allow dccd_t dcc_var_t:file r_file_perms;
-allow dccd_t dcc_var_t:lnk_file { getattr read };
+allow dccd_t dcc_var_t:dir list_dir_perms;
+read_files_pattern(dccd_t,dcc_var_t,dcc_var_t)
+read_lnk_files_pattern(dccd_t,dcc_var_t,dcc_var_t)
# Runs the dbclean program
-domain_auto_trans(dccd_t, dcc_dbclean_exec_t, dcc_dbclean_t)
+domtrans_pattern(dccd_t, dcc_dbclean_exec_t, dcc_dbclean_t)
corecmd_search_bin(dccd_t)
-allow dcc_dbclean_t dccd_t:fd use;
-allow dcc_dbclean_t dccd_t:fifo_file rw_file_perms;
-allow dcc_dbclean_t dccd_t:process sigchld;
# Updating dcc_db, flod, ...
-allow dccd_t dcc_var_t:dir manage_dir_perms;
-allow dccd_t dcc_var_t:file manage_file_perms;
-allow dccd_t dcc_var_t:lnk_file create_lnk_perms;
+manage_dirs_pattern(dccd_t,dcc_var_t,dcc_var_t)
+manage_files_pattern(dccd_t,dcc_var_t,dcc_var_t)
+manage_lnk_files_pattern(dccd_t,dcc_var_t,dcc_var_t)
-allow dccd_t dccd_tmp_t:dir manage_dir_perms;
-allow dccd_t dccd_tmp_t:file create_file_perms;
+manage_dirs_pattern(dccd_t,dccd_tmp_t,dccd_tmp_t)
+manage_files_pattern(dccd_t,dccd_tmp_t,dccd_tmp_t)
files_tmp_filetrans(dccd_t, dccd_tmp_t, { file dir })
-allow dccd_t dccd_var_run_t:file create_file_perms;
-allow dccd_t dccd_var_run_t:dir rw_dir_perms;
+manage_files_pattern(dccd_t,dccd_var_run_t,dccd_var_run_t)
files_pid_filetrans(dccd_t,dccd_var_run_t,file)
kernel_read_system_state(dccd_t)
@@ -315,21 +311,19 @@ allow dccifd_t self:udp_socket create_socket_perms;
allow dccifd_t dcc_client_map_t:file rw_file_perms;
# Updating dcc_db, flod, ...
-allow dccifd_t dcc_var_t:dir manage_dir_perms;
-allow dccifd_t dcc_var_t:{ file sock_file fifo_file } manage_file_perms;
-allow dccifd_t dcc_var_t:lnk_file create_lnk_perms;
+manage_dirs_pattern(dccifd_t,dcc_var_t,dcc_var_t)
+manage_files_pattern(dccifd_t,dcc_var_t,dcc_var_t)
+manage_lnk_files_pattern(dccifd_t,dcc_var_t,dcc_var_t)
+manage_fifo_files_pattern(dccifd_t,dcc_var_t,dcc_var_t)
+manage_sock_files_pattern(dccifd_t,dcc_var_t,dcc_var_t)
-allow dccifd_t dccifd_tmp_t:dir manage_dir_perms;
-allow dccifd_t dccifd_tmp_t:file manage_file_perms;
+manage_dirs_pattern(dccifd_t,dccifd_tmp_t,dccifd_tmp_t)
+manage_files_pattern(dccifd_t,dccifd_tmp_t,dccifd_tmp_t)
files_tmp_filetrans(dccifd_t, dccifd_tmp_t, { file dir })
-allow dccifd_t dccifd_var_run_t:file manage_file_perms;
-allow dccifd_t dccifd_var_run_t:sock_file manage_file_perms;
-allow dccifd_t dcc_var_t:dir rw_dir_perms;
-type_transition dccifd_t dcc_var_t:{ file sock_file } dccifd_var_run_t;
-
-allow dccifd_t dccifd_var_run_t:file manage_file_perms;
-allow dccifd_t dccifd_var_run_t:dir rw_dir_perms;
+manage_files_pattern(dccifd_t,dccifd_var_run_t,dccifd_var_run_t)
+manage_sock_files_pattern(dccifd_t,dccifd_var_run_t,dccifd_var_run_t)
+filetrans_pattern(dccifd_t,dcc_var_t,dccifd_var_run_t,{ file sock_file })
files_pid_filetrans(dccifd_t,dccifd_var_run_t,file)
kernel_read_system_state(dccifd_t)
@@ -399,21 +393,19 @@ allow dccm_t self:udp_socket create_socket_perms;
allow dccm_t dcc_client_map_t:file rw_file_perms;
-allow dccm_t dcc_var_t:dir manage_dir_perms;
-allow dccm_t dcc_var_t:{ file sock_file fifo_file } create_file_perms;
-allow dccm_t dcc_var_t:lnk_file create_lnk_perms;
+manage_dirs_pattern(dccm_t,dcc_var_t,dcc_var_t)
+manage_files_pattern(dccm_t,dcc_var_t,dcc_var_t)
+manage_lnk_files_pattern(dccm_t,dcc_var_t,dcc_var_t)
+manage_fifo_files_pattern(dccm_t,dcc_var_t,dcc_var_t)
+manage_sock_files_pattern(dccm_t,dcc_var_t,dcc_var_t)
-allow dccm_t dccm_tmp_t:dir manage_dir_perms;
-allow dccm_t dccm_tmp_t:file manage_file_perms;
+manage_dirs_pattern(dccm_t,dccm_tmp_t,dccm_tmp_t)
+manage_files_pattern(dccm_t,dccm_tmp_t,dccm_tmp_t)
files_tmp_filetrans(dccm_t, dccm_tmp_t, { file dir })
-allow dccm_t dccm_var_run_t:file manage_file_perms;
-allow dccm_t dccm_var_run_t:sock_file manage_file_perms;
-allow dccm_t dcc_var_run_t:dir rw_dir_perms;
-type_transition dccm_t dcc_var_run_t:{ file sock_file } dccm_var_run_t;
-
-allow dccm_t dccm_var_run_t:file manage_file_perms;
-allow dccm_t dccm_var_run_t:dir rw_dir_perms;
+manage_files_pattern(dccm_t,dccm_var_run_t,dccm_var_run_t)
+manage_sock_files_pattern(dccm_t,dccm_var_run_t,dccm_var_run_t)
+filetrans_pattern(dccm_t,dcc_var_run_t,dccm_var_run_t,{ file sock_file })
files_pid_filetrans(dccm_t,dccm_var_run_t,file)
kernel_read_system_state(dccm_t)
diff --git a/policy/modules/services/ddclient.if b/policy/modules/services/ddclient.if
index c1ddf994..1afdd216 100644
--- a/policy/modules/services/ddclient.if
+++ b/policy/modules/services/ddclient.if
@@ -16,10 +16,5 @@ interface(`ddclient_domtrans',`
')
corecmd_search_sbin($1)
- domain_auto_trans($1, ddclient_exec_t, ddclient_t)
-
- allow $1 ddclient_t:fd use;
- allow ddclient_t $1:fd use;
- allow ddclient_t $1:fifo_file rw_file_perms;
- allow ddclient_t $1:process sigchld;
+ domtrans_pattern($1, ddclient_exec_t, ddclient_t)
')
diff --git a/policy/modules/services/ddclient.te b/policy/modules/services/ddclient.te
index 3ce1b4f7..c79776da 100644
--- a/policy/modules/services/ddclient.te
+++ b/policy/modules/services/ddclient.te
@@ -32,28 +32,26 @@ files_pid_file(ddclient_var_run_t)
dontaudit ddclient_t self:capability sys_tty_config;
allow ddclient_t self:process signal_perms;
-allow ddclient_t self:fifo_file rw_file_perms;
+allow ddclient_t self:fifo_file rw_fifo_file_perms;
allow ddclient_t self:tcp_socket create_socket_perms;
allow ddclient_t self:udp_socket create_socket_perms;
-allow ddclient_t ddclient_etc_t:file r_file_perms;
+allow ddclient_t ddclient_etc_t:file read_file_perms;
allow ddclient_t ddclient_log_t:file manage_file_perms;
logging_log_filetrans(ddclient_t,ddclient_log_t,file)
-allow ddclient_t ddclient_var_t:dir manage_dir_perms;
-allow ddclient_t ddclient_var_t:file manage_file_perms;
-allow ddclient_t ddclient_var_t:lnk_file create_lnk_perms;
-allow ddclient_t ddclient_var_t:sock_file manage_file_perms;
-allow ddclient_t ddclient_var_t:fifo_file manage_file_perms;
+manage_dirs_pattern(ddclient_t,ddclient_var_t,ddclient_var_t)
+manage_files_pattern(ddclient_t,ddclient_var_t,ddclient_var_t)
+manage_lnk_files_pattern(ddclient_t,ddclient_var_t,ddclient_var_t)
+manage_fifo_files_pattern(ddclient_t,ddclient_var_t,ddclient_var_t)
+manage_sock_files_pattern(ddclient_t,ddclient_var_t,ddclient_var_t)
files_var_filetrans(ddclient_t,ddclient_var_t,{ file lnk_file sock_file fifo_file })
-allow ddclient_t ddclient_var_lib_t:file manage_file_perms;
-allow ddclient_t ddclient_var_lib_t:dir rw_dir_perms;
+manage_files_pattern(ddclient_t,ddclient_var_lib_t,ddclient_var_lib_t)
files_var_lib_filetrans(ddclient_t,ddclient_var_lib_t,file)
-allow ddclient_t ddclient_var_run_t:file manage_file_perms;
-allow ddclient_t ddclient_var_run_t:dir rw_dir_perms;
+manage_files_pattern(ddclient_t,ddclient_var_run_t,ddclient_var_run_t)
files_pid_filetrans(ddclient_t,ddclient_var_run_t,file)
kernel_read_system_state(ddclient_t)
diff --git a/policy/modules/services/dhcp.te b/policy/modules/services/dhcp.te
index e0e972ff..2e011e0b 100644
--- a/policy/modules/services/dhcp.te
+++ b/policy/modules/services/dhcp.te
@@ -39,16 +39,14 @@ allow dhcpd_t self:rawip_socket create_socket_perms;
can_exec(dhcpd_t,dhcpd_exec_t)
-allow dhcpd_t dhcpd_state_t:dir rw_dir_perms;
-allow dhcpd_t dhcpd_state_t:file create_file_perms;
+manage_files_pattern(dhcpd_t,dhcpd_state_t,dhcpd_state_t)
sysnet_dhcp_state_filetrans(dhcpd_t,dhcpd_state_t,file)
-allow dhcpd_t dhcpd_tmp_t:dir create_dir_perms;
-allow dhcpd_t dhcpd_tmp_t:file create_file_perms;
+manage_dirs_pattern(dhcpd_t,dhcpd_tmp_t,dhcpd_tmp_t)
+manage_files_pattern(dhcpd_t,dhcpd_tmp_t,dhcpd_tmp_t)
files_tmp_filetrans(dhcpd_t, dhcpd_tmp_t, { file dir })
-allow dhcpd_t dhcpd_var_run_t:file create_file_perms;
-allow dhcpd_t dhcpd_var_run_t:dir rw_dir_perms;
+manage_files_pattern(dhcpd_t,dhcpd_var_run_t,dhcpd_var_run_t)
files_pid_filetrans(dhcpd_t,dhcpd_var_run_t,file)
kernel_read_system_state(dhcpd_t)
diff --git a/policy/modules/services/dictd.te b/policy/modules/services/dictd.te
index fdf932da..df5ab1aa 100644
--- a/policy/modules/services/dictd.te
+++ b/policy/modules/services/dictd.te
@@ -28,11 +28,11 @@ allow dictd_t self:unix_stream_socket create_stream_socket_perms;
allow dictd_t self:tcp_socket create_stream_socket_perms;
allow dictd_t self:udp_socket create_socket_perms;
-allow dictd_t dictd_etc_t:file r_file_perms;
+allow dictd_t dictd_etc_t:file read_file_perms;
files_search_etc(dictd_t)
-allow dictd_t dictd_var_lib_t:dir r_dir_perms;
-allow dictd_t dictd_var_lib_t:file r_file_perms;
+allow dictd_t dictd_var_lib_t:dir list_dir_perms;
+allow dictd_t dictd_var_lib_t:file read_file_perms;
kernel_read_system_state(dictd_t)
kernel_read_kernel_sysctls(dictd_t)
diff --git a/policy/modules/services/distcc.te b/policy/modules/services/distcc.te
index cee6b5a3..d8842304 100644
--- a/policy/modules/services/distcc.te
+++ b/policy/modules/services/distcc.te
@@ -31,15 +31,14 @@ allow distccd_t self:fifo_file { read write getattr };
allow distccd_t self:tcp_socket create_stream_socket_perms;
allow distccd_t self:udp_socket create_socket_perms;
-allow distccd_t distccd_log_t:file create_file_perms;
+allow distccd_t distccd_log_t:file manage_file_perms;
logging_log_filetrans(distccd_t,distccd_log_t,file)
-allow distccd_t distccd_tmp_t:dir create_dir_perms;
-allow distccd_t distccd_tmp_t:file create_file_perms;
+manage_dirs_pattern(distccd_t,distccd_tmp_t,distccd_tmp_t)
+manage_files_pattern(distccd_t,distccd_tmp_t,distccd_tmp_t)
files_tmp_filetrans(distccd_t, distccd_tmp_t, { file dir })
-allow distccd_t distccd_var_run_t:file create_file_perms;
-allow distccd_t distccd_var_run_t:dir rw_dir_perms;
+manage_files_pattern(distccd_t,distccd_var_run_t,distccd_var_run_t)
files_pid_filetrans(distccd_t,distccd_var_run_t,file)
kernel_read_system_state(distccd_t)
diff --git a/policy/modules/services/djbdns.if b/policy/modules/services/djbdns.if
index e8baf77b..ff1d505f 100644
--- a/policy/modules/services/djbdns.if
+++ b/policy/modules/services/djbdns.if
@@ -29,8 +29,8 @@ template(`djbdns_daemontools_domain_template',`
allow djbdns_$1_t self:tcp_socket create_stream_socket_perms;
allow djbdns_$1_t self:udp_socket create_socket_perms;
- allow djbdns_$1_t djbdns_$1_conf_t:dir r_dir_perms;
- allow djbdns_$1_t djbdns_$1_conf_t:file r_file_perms;
+ allow djbdns_$1_t djbdns_$1_conf_t:dir list_dir_perms;
+ allow djbdns_$1_t djbdns_$1_conf_t:file read_file_perms;
corenet_non_ipsec_sendrecv(djbdns_$1_t)
corenet_tcp_sendrecv_all_if(djbdns_$1_t)
diff --git a/policy/modules/services/djbdns.te b/policy/modules/services/djbdns.te
index a91f82de..c58a3a41 100644
--- a/policy/modules/services/djbdns.te
+++ b/policy/modules/services/djbdns.te
@@ -30,14 +30,14 @@ daemontools_read_svc(djbdns_axfrdns_t)
allow djbdns_axfrdns_t self:capability { setuid setgid sys_chroot };
-allow djbdns_axfrdns_t djbdns_axfrdns_conf_t:dir r_dir_perms;
-allow djbdns_axfrdns_t djbdns_axfrdns_conf_t:file r_file_perms;
+allow djbdns_axfrdns_t djbdns_axfrdns_conf_t:dir list_dir_perms;
+allow djbdns_axfrdns_t djbdns_axfrdns_conf_t:file read_file_perms;
-allow djbdns_axfrdns_t djbdns_tinydns_t:dir r_dir_perms;
-allow djbdns_axfrdns_t djbdns_tinydns_t:file r_file_perms;
+allow djbdns_axfrdns_t djbdns_tinydns_t:dir list_dir_perms;
+allow djbdns_axfrdns_t djbdns_tinydns_t:file read_file_perms;
-allow djbdns_axfrdns_t djbdns_tinydns_conf_t:dir r_dir_perms;
-allow djbdns_axfrdns_t djbdns_tinydns_conf_t:file r_file_perms;
+allow djbdns_axfrdns_t djbdns_tinydns_conf_t:dir list_dir_perms;
+allow djbdns_axfrdns_t djbdns_tinydns_conf_t:file read_file_perms;
files_search_var(djbdns_axfrdns_t)
diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te
index 0575a511..6ae7ab19 100644
--- a/policy/modules/services/dnsmasq.te
+++ b/policy/modules/services/dnsmasq.te
@@ -35,8 +35,7 @@ allow dnsmasq_t self:rawip_socket create_socket_perms;
allow dnsmasq_t dnsmasq_lease_t:file manage_file_perms;
files_var_lib_filetrans(dnsmasq_t,dnsmasq_lease_t,file)
-allow dnsmasq_t dnsmasq_var_run_t:file create_file_perms;
-allow dnsmasq_t dnsmasq_var_run_t:dir rw_dir_perms;
+manage_files_pattern(dnsmasq_t,dnsmasq_var_run_t,dnsmasq_var_run_t)
files_pid_filetrans(dnsmasq_t,dnsmasq_var_run_t,file)
kernel_read_kernel_sysctls(dnsmasq_t)
diff --git a/policy/modules/services/dovecot.if b/policy/modules/services/dovecot.if
index ba714cca..57d55adb 100644
--- a/policy/modules/services/dovecot.if
+++ b/policy/modules/services/dovecot.if
@@ -15,7 +15,6 @@ interface(`dovecot_manage_spool',`
type dovecot_spool_t;
')
- allow $1 dovecot_spool_t:dir rw_dir_perms;
- allow $1 dovecot_spool_t:file create_file_perms;
- allow $1 dovecot_spool_t:lnk_file create_lnk_perms;
+ manage_files_pattern($1,dovecot_spool_t,dovecot_spool_t)
+ manage_lnk_files_pattern($1,dovecot_spool_t,dovecot_spool_t)
')
diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
index e546326d..620b2788 100644
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@@ -42,33 +42,28 @@ files_pid_file(dovecot_var_run_t)
allow dovecot_t self:capability { dac_override dac_read_search chown net_bind_service setgid setuid sys_chroot };
dontaudit dovecot_t self:capability sys_tty_config;
allow dovecot_t self:process { setrlimit signal_perms };
-allow dovecot_t self:fifo_file rw_file_perms;
+allow dovecot_t self:fifo_file rw_fifo_file_perms;
allow dovecot_t self:tcp_socket create_stream_socket_perms;
allow dovecot_t self:unix_dgram_socket create_socket_perms;
allow dovecot_t self:unix_stream_socket { create_stream_socket_perms connectto };
-domain_auto_trans(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t)
-allow dovecot_t dovecot_auth_t:fd use;
-allow dovecot_auth_t dovecot_t:process sigchld;
-allow dovecot_auth_t dovecot_t:fd use;
-allow dovecot_auth_t dovecot_t:fifo_file { ioctl read write getattr lock append };
+domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t)
-allow dovecot_t dovecot_cert_t:dir r_dir_perms;
-allow dovecot_t dovecot_cert_t:file r_file_perms;
-allow dovecot_t dovecot_cert_t:lnk_file { getattr read };
+allow dovecot_t dovecot_cert_t:dir list_dir_perms;
+read_files_pattern(dovecot_t,dovecot_cert_t,dovecot_cert_t)
+read_lnk_files_pattern(dovecot_t,dovecot_cert_t,dovecot_cert_t)
-allow dovecot_t dovecot_etc_t:file r_file_perms;
+allow dovecot_t dovecot_etc_t:file read_file_perms;
files_search_etc(dovecot_t)
can_exec(dovecot_t, dovecot_exec_t)
-allow dovecot_t dovecot_spool_t:dir create_dir_perms;
-allow dovecot_t dovecot_spool_t:file create_file_perms;
-allow dovecot_t dovecot_spool_t:lnk_file create_lnk_perms;
+manage_dirs_pattern(dovecot_t,dovecot_spool_t,dovecot_spool_t)
+manage_files_pattern(dovecot_t,dovecot_spool_t,dovecot_spool_t)
+manage_lnk_files_pattern(dovecot_t,dovecot_spool_t,dovecot_spool_t)
-allow dovecot_t dovecot_var_run_t:file create_file_perms;
-allow dovecot_t dovecot_var_run_t:sock_file create_file_perms;
-allow dovecot_t dovecot_var_run_t:dir rw_dir_perms;
+manage_files_pattern(dovecot_t,dovecot_var_run_t,dovecot_var_run_t)
+manage_sock_files_pattern(dovecot_t,dovecot_var_run_t,dovecot_var_run_t)
files_pid_filetrans(dovecot_t,dovecot_var_run_t,file)
kernel_read_kernel_sysctls(dovecot_t)
@@ -156,7 +151,7 @@ optional_policy(`
allow dovecot_auth_t self:capability { setgid setuid };
allow dovecot_auth_t self:process signal_perms;
-allow dovecot_auth_t self:fifo_file rw_file_perms;
+allow dovecot_auth_t self:fifo_file rw_fifo_file_perms;
allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
@@ -165,8 +160,7 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { getattr accept read write io
allow dovecot_auth_t dovecot_passwd_t:file { getattr read };
# Allow dovecot to create and read SSL parameters file
-allow dovecot_t dovecot_var_lib_t:dir rw_dir_perms;
-allow dovecot_t dovecot_var_lib_t:file manage_file_perms;
+manage_files_pattern(dovecot_t,dovecot_var_lib_t,dovecot_var_lib_t)
files_search_var_lib(dovecot_t)
allow dovecot_auth_t dovecot_var_run_t:dir r_dir_perms;
diff --git a/policy/modules/services/fetchmail.te b/policy/modules/services/fetchmail.te
index c6ebf594..169dfc89 100644
--- a/policy/modules/services/fetchmail.te
+++ b/policy/modules/services/fetchmail.te
@@ -32,13 +32,12 @@ allow fetchmail_t self:netlink_route_socket r_netlink_socket_perms;
allow fetchmail_t self:tcp_socket create_socket_perms;
allow fetchmail_t self:udp_socket create_socket_perms;
-allow fetchmail_t fetchmail_etc_t:file r_file_perms;
+allow fetchmail_t fetchmail_etc_t:file read_file_perms;
-allow fetchmail_t fetchmail_uidl_cache_t:file create_file_perms;
+allow fetchmail_t fetchmail_uidl_cache_t:file manage_file_perms;
mta_spool_filetrans(fetchmail_t,fetchmail_uidl_cache_t,file)
-allow fetchmail_t fetchmail_var_run_t:file create_file_perms;
-allow fetchmail_t fetchmail_var_run_t:dir rw_dir_perms;
+manage_files_pattern(fetchmail_t,fetchmail_var_run_t,fetchmail_var_run_t)
files_pid_filetrans(fetchmail_t,fetchmail_var_run_t,file)
kernel_read_kernel_sysctls(fetchmail_t)
diff --git a/policy/modules/services/finger.if b/policy/modules/services/finger.if
index f7b59106..7bdd5cc8 100644
--- a/policy/modules/services/finger.if
+++ b/policy/modules/services/finger.if
@@ -15,12 +15,7 @@ interface(`finger_domtrans',`
type fingerd_t, fingerd_exec_t;
')
- domain_auto_trans($1,fingerd_exec_t,fingerd_t)
-
- allow $1 fingerd_t:fd use;
- allow fingerd_t $1:fd use;
- allow fingerd_t $1:fifo_file rw_file_perms;
- allow fingerd_t $1:process sigchld;
+ domtrans_pattern($1,fingerd_exec_t,fingerd_t)
')
########################################
diff --git a/policy/modules/services/finger.te b/policy/modules/services/finger.te
index 92a26be1..708cfaf5 100644
--- a/policy/modules/services/finger.te
+++ b/policy/modules/services/finger.te
@@ -34,15 +34,14 @@ allow fingerd_t self:udp_socket create_socket_perms;
allow fingerd_t self:unix_dgram_socket create_socket_perms;
allow fingerd_t self:unix_stream_socket create_socket_perms;
-allow fingerd_t fingerd_var_run_t:file create_file_perms;
-allow fingerd_t fingerd_var_run_t:dir rw_dir_perms;
+manage_files_pattern(fingerd_t,fingerd_var_run_t,fingerd_var_run_t)
files_pid_filetrans(fingerd_t,fingerd_var_run_t,file)
-allow fingerd_t fingerd_etc_t:file r_file_perms;
allow fingerd_t fingerd_etc_t:dir r_dir_perms;
-allow fingerd_t fingerd_etc_t:lnk_file { getattr read };
+read_files_pattern(fingerd_t,fingerd_etc_t,fingerd_etc_t)
+read_lnk_files_pattern(fingerd_t,fingerd_etc_t,fingerd_etc_t)
-allow fingerd_t fingerd_log_t:file create_file_perms;
+allow fingerd_t fingerd_log_t:file manage_file_perms;
logging_log_filetrans(fingerd_t,fingerd_log_t,file)
kernel_read_kernel_sysctls(fingerd_t)
diff --git a/policy/modules/services/ftp.if b/policy/modules/services/ftp.if
index 266d62c9..86c18ec6 100644
--- a/policy/modules/services/ftp.if
+++ b/policy/modules/services/ftp.if
@@ -101,7 +101,7 @@ interface(`ftp_read_log',`
')
logging_search_logs($1)
- allow $1 xferlog_t:file r_file_perms;
+ allow $1 xferlog_t:file read_file_perms;
')
########################################
@@ -120,9 +120,5 @@ interface(`ftp_domtrans_ftpdctl',`
')
corecmd_search_bin($1)
- domain_auto_trans($1, ftpdctl_exec_t, ftpdctl_t)
-
- allow ftpdctl_t $1:fd use;
- allow ftpdctl_t $1:fifo_file rw_file_perms;
- allow ftpdctl_t $1:process sigchld;
+ domtrans_pattern($1, ftpdctl_exec_t, ftpdctl_t)
')
diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
index 33599f26..32d37918 100644
--- a/policy/modules/services/ftp.te
+++ b/policy/modules/services/ftp.te
@@ -45,28 +45,27 @@ allow ftpd_t self:capability { chown fowner fsetid setgid setuid sys_chroot sys_
dontaudit ftpd_t self:capability sys_tty_config;
allow ftpd_t self:process signal_perms;
allow ftpd_t self:process { getcap setcap setsched setrlimit };
-allow ftpd_t self:fifo_file rw_file_perms;
+allow ftpd_t self:fifo_file rw_fifo_file_perms;
allow ftpd_t self:unix_dgram_socket { sendto create_socket_perms };
allow ftpd_t self:unix_stream_socket create_stream_socket_perms;
allow ftpd_t self:tcp_socket create_stream_socket_perms;
allow ftpd_t self:udp_socket create_socket_perms;
-allow ftpd_t ftpd_etc_t:file r_file_perms;
+allow ftpd_t ftpd_etc_t:file read_file_perms;
-allow ftpd_t ftpd_tmp_t:dir create_dir_perms;
-allow ftpd_t ftpd_tmp_t:file create_file_perms;
+manage_dirs_pattern(ftpd_t,ftpd_tmp_t,ftpd_tmp_t)
+manage_files_pattern(ftpd_t,ftpd_tmp_t,ftpd_tmp_t)
files_tmp_filetrans(ftpd_t, ftpd_tmp_t, { file dir })
-allow ftpd_t ftpd_tmpfs_t:fifo_file create_file_perms;
-allow ftpd_t ftpd_tmpfs_t:dir create_dir_perms;
-allow ftpd_t ftpd_tmpfs_t:file create_file_perms;
-allow ftpd_t ftpd_tmpfs_t:lnk_file create_lnk_perms;
-allow ftpd_t ftpd_tmpfs_t:sock_file create_file_perms;
+manage_dirs_pattern(ftpd_t,ftpd_tmpfs_t,ftpd_tmpfs_t)
+manage_files_pattern(ftpd_t,ftpd_tmpfs_t,ftpd_tmpfs_t)
+manage_lnk_files_pattern(ftpd_t,ftpd_tmpfs_t,ftpd_tmpfs_t)
+manage_fifo_files_pattern(ftpd_t,ftpd_tmpfs_t,ftpd_tmpfs_t)
+manage_sock_files_pattern(ftpd_t,ftpd_tmpfs_t,ftpd_tmpfs_t)
fs_tmpfs_filetrans(ftpd_t,ftpd_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
-allow ftpd_t ftpd_var_run_t:file manage_file_perms;
-allow ftpd_t ftpd_var_run_t:dir rw_dir_perms;
-allow ftpd_t ftpd_var_run_t:sock_file manage_file_perms;
+manage_files_pattern(ftpd_t,ftpd_var_run_t,ftpd_var_run_t)
+manage_sock_files_pattern(ftpd_t,ftpd_var_run_t,ftpd_var_run_t)
files_pid_filetrans(ftpd_t,ftpd_var_run_t,file)
# proftpd requires the client side to bind a socket so that
@@ -77,7 +76,7 @@ allow ftpd_t ftpdctl_tmp_t:sock_file { getattr unlink };
# Create and modify /var/log/xferlog.
allow ftpd_t xferlog_t:dir search_dir_perms;
-allow ftpd_t xferlog_t:file create_file_perms;
+allow ftpd_t xferlog_t:file manage_file_perms;
logging_log_filetrans(ftpd_t,xferlog_t,file)
kernel_read_kernel_sysctls(ftpd_t)
@@ -200,7 +199,7 @@ tunable_policy(`ftp_home_dir && use_samba_home_dirs',`
')
tunable_policy(`ftpd_is_daemon',`
- allow ftpd_t ftpd_lock_t:file create_file_perms;
+ allow ftpd_t ftpd_lock_t:file manage_file_perms;
files_lock_filetrans(ftpd_t,ftpd_lock_t,file)
corenet_tcp_bind_ftp_port(ftpd_t)
@@ -257,9 +256,7 @@ optional_policy(`
#
# Allow ftpdctl to talk to ftpd over a socket connection
-allow ftpdctl_t ftpd_t:unix_stream_socket connectto;
-allow ftpdctl_t ftpd_var_run_t:dir search;
-allow ftpdctl_t ftpd_var_run_t:sock_file write;
+stream_connect_pattern(ftpdctl_t,ftpd_var_run_t,ftpd_var_run_t,ftpd_t)
# ftpdctl creates a socket so that the daemon can perform
# access control decisions (see comments in ftpd_t rules above)
diff --git a/policy/modules/services/gatekeeper.te b/policy/modules/services/gatekeeper.te
index d08f4f9f..8c7e6096 100644
--- a/policy/modules/services/gatekeeper.te
+++ b/policy/modules/services/gatekeeper.te
@@ -30,7 +30,7 @@ files_pid_file(gatekeeper_var_run_t)
dontaudit gatekeeper_t self:capability sys_tty_config;
allow gatekeeper_t self:process { setsched signal_perms };
-allow gatekeeper_t self:fifo_file rw_file_perms;
+allow gatekeeper_t self:fifo_file rw_fifo_file_perms;
allow gatekeeper_t self:tcp_socket create_stream_socket_perms;
allow gatekeeper_t self:udp_socket create_socket_perms;
@@ -38,16 +38,14 @@ allow gatekeeper_t gatekeeper_etc_t:lnk_file { getattr read };
allow gatekeeper_t gatekeeper_etc_t:file { getattr read };
files_search_etc(gatekeeper_t)
-allow gatekeeper_t gatekeeper_log_t:file create_file_perms;
-allow gatekeeper_t gatekeeper_log_t:dir rw_dir_perms;
+manage_files_pattern(gatekeeper_t,gatekeeper_log_t,gatekeeper_log_t)
logging_log_filetrans(gatekeeper_t,gatekeeper_log_t,{ file dir })
-allow gatekeeper_t gatekeeper_tmp_t:dir create_dir_perms;
-allow gatekeeper_t gatekeeper_tmp_t:file create_file_perms;
+manage_dirs_pattern(gatekeeper_t,gatekeeper_tmp_t,gatekeeper_tmp_t)
+manage_files_pattern(gatekeeper_t,gatekeeper_tmp_t,gatekeeper_tmp_t)
files_tmp_filetrans(gatekeeper_t, gatekeeper_tmp_t, { file dir })
-allow gatekeeper_t gatekeeper_var_run_t:file create_file_perms;
-allow gatekeeper_t gatekeeper_var_run_t:dir rw_dir_perms;
+manage_files_pattern(gatekeeper_t,gatekeeper_var_run_t,gatekeeper_var_run_t)
files_pid_filetrans(gatekeeper_t,gatekeeper_var_run_t,file)
kernel_read_system_state(gatekeeper_t)
diff --git a/policy/modules/services/gpm.te b/policy/modules/services/gpm.te
index c8f5af88..23ee78c8 100644
--- a/policy/modules/services/gpm.te
+++ b/policy/modules/services/gpm.te
@@ -30,24 +30,21 @@ files_type(gpmctl_t)
allow gpm_t self:capability { setuid dac_override sys_admin sys_tty_config };
allow gpm_t self:unix_stream_socket create_stream_socket_perms;
-allow gpm_t gpm_conf_t:dir r_dir_perms;
-allow gpm_t gpm_conf_t:file r_file_perms;
-allow gpm_t gpm_conf_t:lnk_file { getattr read };
+allow gpm_t gpm_conf_t:dir list_dir_perms;
+read_files_pattern(gpm_t,gpm_conf_t,gpm_conf_t)
+read_lnk_files_pattern(gpm_t,gpm_conf_t,gpm_conf_t)
-allow gpm_t gpm_tmp_t:dir create_dir_perms;
-allow gpm_t gpm_tmp_t:file create_file_perms;
+manage_dirs_pattern(gpm_t,gpm_tmp_t,gpm_tmp_t)
+manage_files_pattern(gpm_t,gpm_tmp_t,gpm_tmp_t)
files_tmp_filetrans(gpm_t, gpm_tmp_t, { file dir })
-allow gpm_t gpm_var_run_t:file create_file_perms;
+allow gpm_t gpm_var_run_t:file manage_file_perms;
files_pid_filetrans(gpm_t,gpm_var_run_t,file)
-allow gpm_t gpmctl_t:sock_file create_file_perms;
-allow gpm_t gpmctl_t:fifo_file create_file_perms;
+allow gpm_t gpmctl_t:sock_file manage_file_perms;
+allow gpm_t gpmctl_t:fifo_file manage_file_perms;
dev_filetrans(gpm_t,gpmctl_t,{ sock_file fifo_file })
-# cjp: this has no effect
-allow gpm_t gpmctl_t:unix_stream_socket name_bind;
-
kernel_read_kernel_sysctls(gpm_t)
kernel_list_proc(gpm_t)
kernel_read_proc_symlinks(gpm_t)
diff --git a/policy/modules/services/hal.if b/policy/modules/services/hal.if
index abe9a827..6a37e699 100644
--- a/policy/modules/services/hal.if
+++ b/policy/modules/services/hal.if
@@ -15,12 +15,7 @@ interface(`hal_domtrans',`
type hald_t, hald_exec_t;
')
- domain_auto_trans($1,hald_exec_t,hald_t)
-
- allow $1 hald_t:fd use;
- allow hald_t $1:fd use;
- allow hald_t $1:fifo_file rw_file_perms;
- allow hald_t $1:process sigchld;
+ domtrans_pattern($1,hald_exec_t,hald_t)
')
########################################
@@ -116,7 +111,7 @@ interface(`hal_read_tmp_files',`
type hald_tmp_t;
')
- allow $1 hald_tmp_t:file r_file_perms;
+ allow $1 hald_tmp_t:file read_file_perms;
')
########################################
@@ -135,7 +130,7 @@ interface(`hal_dontaudit_append_lib_files',`
type hald_var_lib_t;
')
- dontaudit $1 hald_var_lib_t:file ra_file_perms;
+ dontaudit $1 hald_var_lib_t:file { read_file_perms append_file_perms };
')
########################################
@@ -154,7 +149,7 @@ interface(`hal_read_pid_files',`
')
files_search_pids($1)
- allow $1 hald_var_run_t:file r_file_perms;
+ allow $1 hald_var_run_t:file read_file_perms;
')
diff --git a/policy/modules/services/hal.te b/policy/modules/services/hal.te
index e84d7e12..ab6b2d77 100644
--- a/policy/modules/services/hal.te
+++ b/policy/modules/services/hal.te
@@ -25,30 +25,30 @@ files_type(hald_var_lib_t)
#
# execute openvt which needs setuid
-allow hald_t self:capability { audit_write chown setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config };
+allow hald_t self:capability { chown setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config };
dontaudit hald_t self:capability sys_tty_config;
allow hald_t self:process signal_perms;
-allow hald_t self:fifo_file rw_file_perms;
+allow hald_t self:fifo_file rw_fifo_file_perms;
allow hald_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow hald_t self:unix_dgram_socket create_socket_perms;
-allow hald_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
allow hald_t self:netlink_kobject_uevent_socket create_socket_perms;
allow hald_t self:tcp_socket create_stream_socket_perms;
allow hald_t self:udp_socket create_socket_perms;
# For backwards compatibility with older kernels
allow hald_t self:netlink_socket create_socket_perms;
-allow hald_t hald_tmp_t:dir create_dir_perms;
-allow hald_t hald_tmp_t:file create_file_perms;
+send_audit_msgs_pattern(hald_t)
+
+manage_dirs_pattern(hald_t,hald_tmp_t,hald_tmp_t)
+manage_files_pattern(hald_t,hald_tmp_t,hald_tmp_t)
files_tmp_filetrans(hald_t, hald_tmp_t, { file dir })
# var/lib files for hald
-allow hald_t hald_var_lib_t:file manage_file_perms;
-allow hald_t hald_var_lib_t:sock_file manage_file_perms;
-allow hald_t hald_var_lib_t:dir manage_dir_perms;
+manage_dirs_pattern(hald_t,hald_var_lib_t,hald_var_lib_t)
+manage_files_pattern(hald_t,hald_var_lib_t,hald_var_lib_t)
+manage_sock_files_pattern(hald_t,hald_var_lib_t,hald_var_lib_t)
-allow hald_t hald_var_run_t:file create_file_perms;
-allow hald_t hald_var_run_t:dir rw_dir_perms;
+manage_files_pattern(hald_t,hald_var_run_t,hald_var_run_t)
files_pid_filetrans(hald_t,hald_var_run_t,file)
kernel_read_system_state(hald_t)
diff --git a/policy/modules/services/howl.te b/policy/modules/services/howl.te
index 83d0fa2f..3aa19f1a 100644
--- a/policy/modules/services/howl.te
+++ b/policy/modules/services/howl.te
@@ -21,12 +21,11 @@ files_pid_file(howl_var_run_t)
allow howl_t self:capability { kill net_admin };
dontaudit howl_t self:capability sys_tty_config;
allow howl_t self:process signal_perms;
-allow howl_t self:fifo_file rw_file_perms;
+allow howl_t self:fifo_file rw_fifo_file_perms;
allow howl_t self:tcp_socket create_stream_socket_perms;
allow howl_t self:udp_socket create_socket_perms;
-allow howl_t howl_var_run_t:file create_file_perms;
-allow howl_t howl_var_run_t:dir rw_dir_perms;
+manage_files_pattern(howl_t,howl_var_run_t,howl_var_run_t)
files_pid_filetrans(howl_t,howl_var_run_t,file)
kernel_read_network_state(howl_t)
diff --git a/policy/modules/services/i18n_input.te b/policy/modules/services/i18n_input.te
index 30e5c663..7a7e7e08 100644
--- a/policy/modules/services/i18n_input.te
+++ b/policy/modules/services/i18n_input.te
@@ -21,15 +21,15 @@ files_pid_file(i18n_input_var_run_t)
allow i18n_input_t self:capability { kill setgid setuid };
dontaudit i18n_input_t self:capability sys_tty_config;
allow i18n_input_t self:process { signal_perms setsched setpgid };
-allow i18n_input_t self:fifo_file rw_file_perms;
+allow i18n_input_t self:fifo_file rw_fifo_file_perms;
allow i18n_input_t self:unix_dgram_socket create_socket_perms;
allow i18n_input_t self:unix_stream_socket create_stream_socket_perms;
allow i18n_input_t self:tcp_socket create_stream_socket_perms;
allow i18n_input_t self:udp_socket create_socket_perms;
-allow i18n_input_t i18n_input_var_run_t:dir create_dir_perms;
-allow i18n_input_t i18n_input_var_run_t:file create_file_perms;
-allow i18n_input_t i18n_input_var_run_t:sock_file create_file_perms;
+manage_dirs_pattern(i18n_input_t,i18n_input_var_run_t,i18n_input_var_run_t)
+manage_files_pattern(i18n_input_t,i18n_input_var_run_t,i18n_input_var_run_t)
+manage_sock_files_pattern(i18n_input_t,i18n_input_var_run_t,i18n_input_var_run_t)
files_pid_filetrans(i18n_input_t,i18n_input_var_run_t,file)
can_exec(i18n_input_t, i18n_input_exec_t)
diff --git a/policy/modules/services/imaze.te b/policy/modules/services/imaze.te
index c16259f6..3a618d48 100644
--- a/policy/modules/services/imaze.te
+++ b/policy/modules/services/imaze.te
@@ -30,7 +30,7 @@ files_pid_file(imazesrv_var_run_t)
dontaudit imazesrv_t self:capability sys_tty_config;
allow imazesrv_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow imazesrv_t self:fd use;
-allow imazesrv_t self:fifo_file rw_file_perms;
+allow imazesrv_t self:fifo_file rw_fifo_file_perms;
allow imazesrv_t self:unix_dgram_socket { create_socket_perms sendto };
allow imazesrv_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow imazesrv_t self:shm create_shm_perms;
@@ -41,15 +41,14 @@ allow imazesrv_t self:tcp_socket create_stream_socket_perms;
allow imazesrv_t self:udp_socket create_socket_perms;
allow imazesrv_t imazesrv_data_t:dir list_dir_perms;
-allow imazesrv_t imazesrv_data_t:file read_file_perms;
-allow imazesrv_t imazesrv_data_t:lnk_file { getattr read };
+read_files_pattern(imazesrv_t,imazesrv_data_t,imazesrv_data_t)
+read_lnk_files_pattern(imazesrv_t,imazesrv_data_t,imazesrv_data_t)
allow imazesrv_t imazesrv_log_t:file manage_file_perms;
-allow imazesrv_t imazesrv_log_t:dir ra_dir_perms;
+allow imazesrv_t imazesrv_log_t:dir add_entry_dir_perms;
logging_log_filetrans(imazesrv_t,imazesrv_log_t,file)
-allow imazesrv_t imazesrv_var_run_t:file manage_file_perms;
-allow imazesrv_t imazesrv_var_run_t:dir rw_dir_perms;
+manage_files_pattern(imazesrv_t,imazesrv_var_run_t,imazesrv_var_run_t)
files_pid_filetrans(imazesrv_t,imazesrv_var_run_t,file)
kernel_read_kernel_sysctls(imazesrv_t)
diff --git a/policy/modules/services/inetd.if b/policy/modules/services/inetd.if
index 2edfec6b..fe24a585 100644
--- a/policy/modules/services/inetd.if
+++ b/policy/modules/services/inetd.if
@@ -51,21 +51,12 @@ interface(`inetd_core_service_domain',`
')
can_exec({ unconfined_t initrc_t },$2)
} else {
- domain_auto_trans(inetd_t,$2,$1)
- allow inetd_t $1:fd use;
- allow $1 inetd_t:fd use;
- allow $1 inetd_t:fifo_file rw_file_perms;
- allow $1 inetd_t:process sigchld;
+ domtrans_pattern(inetd_t,$2,$1)
dontaudit inetd_t $1:process { noatsecure siginh rlimitinh };
-
allow inetd_t $1:process sigkill;
}
',`
- domain_auto_trans(inetd_t,$2,$1)
- allow inetd_t $1:fd use;
- allow $1 inetd_t:fd use;
- allow $1 inetd_t:fifo_file rw_file_perms;
- allow $1 inetd_t:process sigchld;
+ domtrans_pattern(inetd_t,$2,$1)
dontaudit inetd_t $1:process { noatsecure siginh rlimitinh };
allow inetd_t $1:process sigkill;
@@ -197,12 +188,7 @@ interface(`inetd_domtrans_child',`
')
corecmd_search_sbin($1)
- domain_auto_trans($1,inetd_child_exec_t,inetd_child_t)
-
- allow $1 inetd_child_t:fd use;
- allow inetd_child_t $1:fd use;
- allow inetd_child_t $1:fifo_file rw_file_perms;
- allow inetd_child_t $1:process sigchld;
+ domtrans_pattern($1,inetd_child_exec_t,inetd_child_t)
')
########################################
diff --git a/policy/modules/services/inetd.te b/policy/modules/services/inetd.te
index 703ec74c..f1431a2a 100644
--- a/policy/modules/services/inetd.te
+++ b/policy/modules/services/inetd.te
@@ -38,18 +38,18 @@ files_pid_file(inetd_child_var_run_t)
allow inetd_t self:capability { setuid setgid };
dontaudit inetd_t self:capability sys_tty_config;
allow inetd_t self:process setsched;
-allow inetd_t self:fifo_file rw_file_perms;
+allow inetd_t self:fifo_file rw_fifo_file_perms;
allow inetd_t self:tcp_socket create_stream_socket_perms;
allow inetd_t self:udp_socket create_socket_perms;
-allow inetd_t inetd_log_t:file create_file_perms;
+allow inetd_t inetd_log_t:file manage_file_perms;
logging_log_filetrans(inetd_t,inetd_log_t,file)
-allow inetd_t inetd_tmp_t:dir create_dir_perms;
-allow inetd_t inetd_tmp_t:file create_file_perms;
+manage_dirs_pattern(inetd_t,inetd_tmp_t,inetd_tmp_t)
+manage_files_pattern(inetd_t,inetd_tmp_t,inetd_tmp_t)
files_tmp_filetrans(inetd_t, inetd_tmp_t, { file dir })
-allow inetd_t inetd_var_run_t:file create_file_perms;
+allow inetd_t inetd_var_run_t:file manage_file_perms;
files_pid_filetrans(inetd_t,inetd_var_run_t,file)
kernel_read_kernel_sysctls(inetd_t)
@@ -166,23 +166,20 @@ ifdef(`targeted_policy',`
#
allow inetd_child_t self:process signal_perms;
-allow inetd_child_t self:fifo_file rw_file_perms;
+allow inetd_child_t self:fifo_file rw_fifo_file_perms;
allow inetd_child_t self:tcp_socket connected_stream_socket_perms;
allow inetd_child_t self:udp_socket create_socket_perms;
# for identd
allow inetd_child_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow inetd_child_t self:capability { setuid setgid };
-allow inetd_child_t self:dir search;
-allow inetd_child_t self:{ lnk_file file } { getattr read };
files_search_home(inetd_child_t)
-allow inetd_child_t inetd_child_tmp_t:dir create_dir_perms;
-allow inetd_child_t inetd_child_tmp_t:file create_file_perms;
+manage_dirs_pattern(inetd_child_t,inetd_child_tmp_t,inetd_child_tmp_t)
+manage_files_pattern(inetd_child_t,inetd_child_tmp_t,inetd_child_tmp_t)
files_tmp_filetrans(inetd_child_t, inetd_child_tmp_t, { file dir })
-allow inetd_child_t inetd_child_var_run_t:file create_file_perms;
-allow inetd_child_t inetd_child_var_run_t:dir rw_dir_perms;
+manage_files_pattern(inetd_child_t,inetd_child_var_run_t,inetd_child_var_run_t)
files_pid_filetrans(inetd_child_t,inetd_child_var_run_t,file)
kernel_read_kernel_sysctls(inetd_child_t)
diff --git a/policy/modules/services/inn.if b/policy/modules/services/inn.if
index 8fe6b8df..a2c89d6b 100644
--- a/policy/modules/services/inn.if
+++ b/policy/modules/services/inn.if
@@ -55,7 +55,7 @@ interface(`inn_manage_log',`
logging_rw_generic_log_dirs($1)
allow $1 innd_log_t:dir search;
- allow $1 innd_log_t:file create_file_perms;
+ allow $1 innd_log_t:file manage_file_perms;
')
########################################
@@ -74,9 +74,8 @@ interface(`inn_manage_pid',`
')
files_search_pids($1)
- allow $1 innd_var_run_t:dir rw_dir_perms;
- allow $1 innd_var_run_t:file create_file_perms;
- allow $1 innd_var_run_t:lnk_file create_lnk_perms;
+ manage_files_pattern($1,innd_var_run_t,innd_var_run_t)
+ manage_lnk_files_pattern($1,innd_var_run_t,innd_var_run_t)
')
########################################
@@ -175,10 +174,5 @@ interface(`inn_domtrans',`
')
corecmd_search_bin($1)
- domain_auto_trans($1,innd_exec_t,innd_t)
-
- allow innd_t $1:fd use;
- allow innd_t $1:fifo_file rw_file_perms;
- allow innd_t $1:process sigchld;
+ domtrans_pattern($1,innd_exec_t,innd_t)
')
-
diff --git a/policy/modules/services/inn.te b/policy/modules/services/inn.te
index ded58fe0..d547c019 100644
--- a/policy/modules/services/inn.te
+++ b/policy/modules/services/inn.te
@@ -31,35 +31,34 @@ files_type(news_spool_t)
allow innd_t self:capability { dac_override kill setgid setuid };
dontaudit innd_t self:capability sys_tty_config;
allow innd_t self:process { setsched signal_perms };
-allow innd_t self:fifo_file rw_file_perms;
+allow innd_t self:fifo_file rw_fifo_file_perms;
allow innd_t self:unix_dgram_socket { sendto create_socket_perms };
allow innd_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow innd_t self:tcp_socket create_stream_socket_perms;
allow innd_t self:udp_socket create_socket_perms;
allow innd_t self:netlink_route_socket r_netlink_socket_perms;
-allow innd_t innd_etc_t:file r_file_perms;
-allow innd_t innd_etc_t:dir r_dir_perms;
-allow innd_t innd_etc_t:lnk_file { getattr read };
+read_files_pattern(innd_t,innd_etc_t,innd_etc_t)
+read_lnk_files_pattern(innd_t,innd_etc_t,innd_etc_t)
can_exec(innd_t, innd_exec_t)
-allow innd_t innd_log_t:file manage_file_perms;
-allow innd_t innd_log_t:dir { setattr rw_dir_perms };
+manage_files_pattern(innd_t,innd_log_t,innd_log_t)
+allow innd_t innd_log_t:dir setattr;
logging_log_filetrans(innd_t,innd_log_t,file)
-allow innd_t innd_var_lib_t:dir create_dir_perms;
-allow innd_t innd_var_lib_t:file create_file_perms;
+manage_dirs_pattern(innd_t,innd_var_lib_t,innd_var_lib_t)
+manage_files_pattern(innd_t,innd_var_lib_t,innd_var_lib_t)
files_var_lib_filetrans(innd_t,innd_var_lib_t,file)
-allow innd_t innd_var_run_t:dir create_dir_perms;
-allow innd_t innd_var_run_t:file create_file_perms;
-allow innd_t innd_var_run_t:sock_file create_file_perms;
+manage_dirs_pattern(innd_t,innd_var_run_t,innd_var_run_t)
+manage_files_pattern(innd_t,innd_var_run_t,innd_var_run_t)
+manage_sock_files_pattern(innd_t,innd_var_run_t,innd_var_run_t)
files_pid_filetrans(innd_t,innd_var_run_t,file)
-allow innd_t news_spool_t:dir create_dir_perms;
-allow innd_t news_spool_t:file create_file_perms;
-allow innd_t news_spool_t:lnk_file create_lnk_perms;
+manage_dirs_pattern(innd_t,news_spool_t,news_spool_t)
+manage_files_pattern(innd_t,news_spool_t,news_spool_t)
+manage_lnk_files_pattern(innd_t,news_spool_t,news_spool_t)
kernel_read_kernel_sysctls(innd_t)
kernel_read_system_state(innd_t)
diff --git a/policy/modules/services/ircd.te b/policy/modules/services/ircd.te
index ed9546e3..4bdfc792 100644
--- a/policy/modules/services/ircd.te
+++ b/policy/modules/services/ircd.te
@@ -32,21 +32,17 @@ allow ircd_t self:process signal_perms;
allow ircd_t self:tcp_socket create_stream_socket_perms;
allow ircd_t self:udp_socket create_socket_perms;
-allow ircd_t ircd_etc_t:file r_file_perms;
-allow ircd_t ircd_etc_t:dir r_dir_perms;
-allow ircd_t ircd_etc_t:lnk_file { getattr read };
+read_files_pattern(ircd_t,ircd_etc_t,ircd_etc_t)
+read_lnk_files_pattern(ircd_t,ircd_etc_t,ircd_etc_t)
files_search_etc(ircd_t)
-allow ircd_t ircd_log_t:file create_file_perms;
-allow ircd_t ircd_log_t:dir rw_dir_perms;
+manage_files_pattern(ircd_t,ircd_log_t,ircd_log_t)
logging_log_filetrans(ircd_t,ircd_log_t,{ file dir })
-allow ircd_t ircd_var_lib_t:file create_file_perms;
-allow ircd_t ircd_var_lib_t:dir rw_dir_perms;
+manage_files_pattern(ircd_t,ircd_var_lib_t,ircd_var_lib_t)
files_var_lib_filetrans(ircd_t,ircd_var_lib_t,file)
-allow ircd_t ircd_var_run_t:file create_file_perms;
-allow ircd_t ircd_var_run_t:dir rw_dir_perms;
+manage_files_pattern(ircd_t,ircd_var_run_t,ircd_var_run_t)
files_pid_filetrans(ircd_t,ircd_var_run_t,file)
kernel_read_system_state(ircd_t)
diff --git a/policy/modules/services/irqbalance.te b/policy/modules/services/irqbalance.te
index 25368c0e..5c73ace2 100644
--- a/policy/modules/services/irqbalance.te
+++ b/policy/modules/services/irqbalance.te
@@ -21,8 +21,7 @@ files_pid_file(irqbalance_var_run_t)
dontaudit irqbalance_t self:capability sys_tty_config;
allow irqbalance_t self:process signal_perms;
-allow irqbalance_t irqbalance_var_run_t:file create_file_perms;
-allow irqbalance_t irqbalance_var_run_t:dir rw_dir_perms;
+manage_files_pattern(irqbalance_t,irqbalance_var_run_t,irqbalance_var_run_t)
files_pid_filetrans(irqbalance_t,irqbalance_var_run_t,file)
kernel_read_system_state(irqbalance_t)
diff --git a/policy/modules/services/jabber.te b/policy/modules/services/jabber.te
index 56a9edad..960808b8 100644
--- a/policy/modules/services/jabber.te
+++ b/policy/modules/services/jabber.te
@@ -31,16 +31,13 @@ allow jabberd_t self:fifo_file { read write getattr };
allow jabberd_t self:tcp_socket create_stream_socket_perms;
allow jabberd_t self:udp_socket create_socket_perms;
-allow jabberd_t jabberd_var_lib_t:file create_file_perms;
-allow jabberd_t jabberd_var_lib_t:dir rw_dir_perms;
+manage_files_pattern(jabberd_t,jabberd_var_lib_t,jabberd_var_lib_t)
files_var_lib_filetrans(jabberd_t,jabberd_var_lib_t,file)
-allow jabberd_t jabberd_log_t:file create_file_perms;
-allow jabberd_t jabberd_log_t:dir rw_dir_perms;
+manage_files_pattern(jabberd_t,jabberd_log_t,jabberd_log_t)
logging_log_filetrans(jabberd_t,jabberd_log_t,{ file dir })
-allow jabberd_t jabberd_var_run_t:file create_file_perms;
-allow jabberd_t jabberd_var_run_t:dir rw_dir_perms;
+manage_files_pattern(jabberd_t,jabberd_var_run_t,jabberd_var_run_t)
files_pid_filetrans(jabberd_t,jabberd_var_run_t,file)
kernel_read_kernel_sysctls(jabberd_t)
diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if
index 7d917aae..99a57b82 100644
--- a/policy/modules/services/kerberos.if
+++ b/policy/modules/services/kerberos.if
@@ -82,7 +82,7 @@ interface(`kerberos_read_config',`
')
files_search_etc($1)
- allow $1 krb5_conf_t:file r_file_perms;
+ allow $1 krb5_conf_t:file read_file_perms;
')
########################################
@@ -141,5 +141,5 @@ interface(`kerberos_read_keytab',`
')
files_search_etc($1)
- allow $1 krb5_keytab_t:file r_file_perms;
+ allow $1 krb5_keytab_t:file read_file_perms;
')
diff --git a/policy/modules/services/kerberos.te b/policy/modules/services/kerberos.te
index 1bf464d6..8640e1bb 100644
--- a/policy/modules/services/kerberos.te
+++ b/policy/modules/services/kerberos.te
@@ -61,26 +61,24 @@ allow kadmind_t self:unix_dgram_socket { connect create write };
allow kadmind_t self:tcp_socket connected_stream_socket_perms;
allow kadmind_t self:udp_socket create_socket_perms;
-allow kadmind_t kadmind_log_t:file create_file_perms;
+allow kadmind_t kadmind_log_t:file manage_file_perms;
logging_log_filetrans(kadmind_t,kadmind_log_t,file)
-allow kadmind_t krb5_conf_t:file r_file_perms;
+allow kadmind_t krb5_conf_t:file read_file_perms;
dontaudit kadmind_t krb5_conf_t:file write;
-allow kadmind_t krb5kdc_conf_t:dir search;
-allow kadmind_t krb5kdc_conf_t:file r_file_perms;
+read_files_pattern(kadmind_t,krb5kdc_conf_t,krb5kdc_conf_t)
dontaudit kadmind_t krb5kdc_conf_t:file write;
allow kadmind_t krb5kdc_principal_t:file { getattr lock read write setattr };
can_exec(kadmind_t, kadmind_exec_t)
-allow kadmind_t kadmind_tmp_t:dir create_dir_perms;
-allow kadmind_t kadmind_tmp_t:file create_file_perms;
+manage_dirs_pattern(kadmind_t,kadmind_tmp_t,kadmind_tmp_t)
+manage_files_pattern(kadmind_t,kadmind_tmp_t,kadmind_tmp_t)
files_tmp_filetrans(kadmind_t, kadmind_tmp_t, { file dir })
-allow kadmind_t kadmind_var_run_t:file create_file_perms;
-allow kadmind_t kadmind_var_run_t:dir rw_dir_perms;
+manage_files_pattern(kadmind_t,kadmind_var_run_t,kadmind_var_run_t)
files_pid_filetrans(kadmind_t,kadmind_var_run_t,file)
kernel_read_kernel_sysctls(kadmind_t)
@@ -161,27 +159,25 @@ allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms;
allow krb5kdc_t self:tcp_socket create_stream_socket_perms;
allow krb5kdc_t self:udp_socket create_socket_perms;
-allow krb5kdc_t krb5_conf_t:file r_file_perms;
+allow krb5kdc_t krb5_conf_t:file read_file_perms;
dontaudit krb5kdc_t krb5_conf_t:file write;
can_exec(krb5kdc_t, krb5kdc_exec_t)
-allow krb5kdc_t krb5kdc_conf_t:dir search;
-allow krb5kdc_t krb5kdc_conf_t:file r_file_perms;
+read_files_pattern(krb5kdc_t,krb5kdc_conf_t,krb5kdc_conf_t)
dontaudit krb5kdc_t krb5kdc_conf_t:file write;
-allow krb5kdc_t krb5kdc_log_t:file create_file_perms;
+allow krb5kdc_t krb5kdc_log_t:file manage_file_perms;
logging_log_filetrans(krb5kdc_t,krb5kdc_log_t,file)
-allow krb5kdc_t krb5kdc_principal_t:file r_file_perms;
+allow krb5kdc_t krb5kdc_principal_t:file read_file_perms;
dontaudit krb5kdc_t krb5kdc_principal_t:file write;
-allow krb5kdc_t krb5kdc_tmp_t:dir create_dir_perms;
-allow krb5kdc_t krb5kdc_tmp_t:file create_file_perms;
+manage_dirs_pattern(krb5kdc_t,krb5kdc_tmp_t,krb5kdc_tmp_t)
+manage_files_pattern(krb5kdc_t,krb5kdc_tmp_t,krb5kdc_tmp_t)
files_tmp_filetrans(krb5kdc_t, krb5kdc_tmp_t, { file dir })
-allow krb5kdc_t krb5kdc_var_run_t:file create_file_perms;
-allow krb5kdc_t krb5kdc_var_run_t:dir rw_dir_perms;
+manage_files_pattern(krb5kdc_t,krb5kdc_var_run_t,krb5kdc_var_run_t)
files_pid_filetrans(krb5kdc_t,krb5kdc_var_run_t,file)
kernel_read_system_state(krb5kdc_t)
diff --git a/policy/modules/services/ktalk.te b/policy/modules/services/ktalk.te
index 99da49f9..bef8d804 100644
--- a/policy/modules/services/ktalk.te
+++ b/policy/modules/services/ktalk.te
@@ -26,15 +26,13 @@ files_pid_file(ktalkd_var_run_t)
#
allow ktalkd_t self:process signal_perms;
-allow ktalkd_t self:fifo_file rw_file_perms;
+allow ktalkd_t self:fifo_file rw_fifo_file_perms;
allow ktalkd_t self:tcp_socket connected_stream_socket_perms;
allow ktalkd_t self:udp_socket create_socket_perms;
# for identd
# cjp: this should probably only be inetd_child rules?
allow ktalkd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow ktalkd_t self:capability { setuid setgid };
-allow ktalkd_t self:dir search;
-allow ktalkd_t self:{ lnk_file file } { getattr read };
files_search_home(ktalkd_t)
optional_policy(`
kerberos_use(ktalkd_t)
@@ -44,12 +42,11 @@ optional_policy(`
allow ktalkd_t ktalkd_log_t:file manage_file_perms;
logging_log_filetrans(ktalkd_t,ktalkd_log_t,file)
-allow ktalkd_t ktalkd_tmp_t:dir create_dir_perms;
-allow ktalkd_t ktalkd_tmp_t:file create_file_perms;
+manage_dirs_pattern(ktalkd_t,ktalkd_tmp_t,ktalkd_tmp_t)
+manage_files_pattern(ktalkd_t,ktalkd_tmp_t,ktalkd_tmp_t)
files_tmp_filetrans(ktalkd_t, ktalkd_tmp_t, { file dir })
-allow ktalkd_t ktalkd_var_run_t:file create_file_perms;
-allow ktalkd_t ktalkd_var_run_t:dir rw_dir_perms;
+manage_files_pattern(ktalkd_t,ktalkd_var_run_t,ktalkd_var_run_t)
files_pid_filetrans(ktalkd_t,ktalkd_var_run_t,file)
kernel_read_kernel_sysctls(ktalkd_t)
diff --git a/policy/modules/services/ldap.if b/policy/modules/services/ldap.if
index c954c2be..8d5edff9 100644
--- a/policy/modules/services/ldap.if
+++ b/policy/modules/services/ldap.if
@@ -16,7 +16,7 @@ interface(`ldap_list_db',`
type slapd_db_t;
')
- allow $1 slapd_db_t:dir r_dir_perms;
+ allow $1 slapd_db_t:dir list_dir_perms;
')
########################################
diff --git a/policy/modules/services/ldap.te b/policy/modules/services/ldap.te
index c043c0cc..e72bc6f1 100644
--- a/policy/modules/services/ldap.te
+++ b/policy/modules/services/ldap.te
@@ -47,32 +47,31 @@ allow slapd_t self:udp_socket create_socket_perms;
#slapd needs to listen and accept needed by ldapsearch (slapd needs to accept from ldapseach)
allow slapd_t self:tcp_socket create_stream_socket_perms;
-allow slapd_t slapd_cert_t:dir r_dir_perms;
-allow slapd_t slapd_cert_t:file r_file_perms;
-allow slapd_t slapd_cert_t:lnk_file { getattr read };
+allow slapd_t slapd_cert_t:dir list_dir_perms;
+read_files_pattern(slapd_t,slapd_cert_t,slapd_cert_t)
+read_lnk_files_pattern(slapd_t,slapd_cert_t,slapd_cert_t)
# Allow access to the slapd databases
-allow slapd_t slapd_db_t:dir create_dir_perms;
-allow slapd_t slapd_db_t:file create_file_perms;
-allow slapd_t slapd_db_t:lnk_file create_lnk_perms;
+manage_dirs_pattern(slapd_t,slapd_db_t,slapd_db_t)
+manage_files_pattern(slapd_t,slapd_db_t,slapd_db_t)
+manage_lnk_files_pattern(slapd_t,slapd_db_t,slapd_db_t)
allow slapd_t slapd_etc_t:file { getattr read };
-allow slapd_t slapd_lock_t:file create_file_perms;
+allow slapd_t slapd_lock_t:file manage_file_perms;
files_lock_filetrans(slapd_t,slapd_lock_t,file)
# Allow access to write the replication log (should tighten this)
-allow slapd_t slapd_replog_t:dir create_dir_perms;
-allow slapd_t slapd_replog_t:file create_file_perms;
-allow slapd_t slapd_replog_t:lnk_file create_lnk_perms;
+manage_dirs_pattern(slapd_t,slapd_replog_t,slapd_replog_t)
+manage_files_pattern(slapd_t,slapd_replog_t,slapd_replog_t)
+manage_lnk_files_pattern(slapd_t,slapd_replog_t,slapd_replog_t)
-allow slapd_t slapd_tmp_t:dir create_dir_perms;
-allow slapd_t slapd_tmp_t:file create_file_perms;
+manage_dirs_pattern(slapd_t,slapd_tmp_t,slapd_tmp_t)
+manage_files_pattern(slapd_t,slapd_tmp_t,slapd_tmp_t)
files_tmp_filetrans(slapd_t, slapd_tmp_t, { file dir })
-allow slapd_t slapd_var_run_t:file manage_file_perms;
-allow slapd_t slapd_var_run_t:sock_file manage_file_perms;
-allow slapd_t slapd_var_run_t:dir rw_dir_perms;
+manage_files_pattern(slapd_t,slapd_var_run_t,slapd_var_run_t)
+manage_sock_files_pattern(slapd_t,slapd_var_run_t,slapd_var_run_t)
files_pid_filetrans(slapd_t,slapd_var_run_t,{ file sock_file })
kernel_read_system_state(slapd_t)
diff --git a/policy/modules/services/lpd.if b/policy/modules/services/lpd.if
index b59cd71c..84ec5d2a 100644
--- a/policy/modules/services/lpd.if
+++ b/policy/modules/services/lpd.if
@@ -77,34 +77,28 @@ template(`lpd_per_role_template',`
can_exec($1_lpr_t,lpr_exec_t)
- allow $1_lpr_t $1_lpr_tmp_t:dir create_dir_perms;
- allow $1_lpr_t $1_lpr_tmp_t:file create_file_perms;
+ manage_dirs_pattern($1_lpr_t,$1_lpr_tmp_t,$1_lpr_tmp_t)
+ manage_files_pattern($1_lpr_t,$1_lpr_tmp_t,$1_lpr_tmp_t)
files_tmp_filetrans($1_lpr_t, $1_lpr_tmp_t, { file dir })
- allow $1_lpr_t $1_print_spool_t:file create_file_perms;
- allow $1_lpr_t print_spool_t:dir rw_dir_perms;
- type_transition $1_lpr_t print_spool_t:file $1_print_spool_t;
+ manage_files_pattern($1_lpr_t,print_spool_t,$1_print_spool_t)
+ filetrans_pattern($1_lpr_t,print_spool_t,$1_print_spool_t,file)
# Read and write shared files in the spool directory.
allow $1_lpr_t print_spool_t:file rw_file_perms;
- allow $1_lpr_t printconf_t:dir r_dir_perms;
- allow $1_lpr_t printconf_t:file r_file_perms;
- allow $1_lpr_t printconf_t:lnk_file { getattr read };
+ allow $1_lpr_t printconf_t:dir list_dir_perms;
+ read_files_pattern($1_lpr_t,printconf_t,printconf_t)
+ read_lnk_files_pattern($1_lpr_t,printconf_t,printconf_t)
dontaudit $1_lpr_t $2:unix_stream_socket { read write };
# Transition from the user domain to the derived domain.
- allow $2 $1_lpr_t:fd use;
- allow $1_lpr_t $2:fd use;
- allow $1_lpr_t $2:fifo_file rw_file_perms;
- allow $1_lpr_t $2:process sigchld;
- domain_auto_trans($2,lpr_exec_t,$1_lpr_t)
+ domtrans_pattern($2,lpr_exec_t,$1_lpr_t)
allow $2 $1_lpr_t:process signull;
# Allow lpd to read, rename, and unlink spool files.
- allow lpd_t $1_print_spool_t:file r_file_perms;
- allow lpd_t $1_print_spool_t:file link_file_perms;
+ allow lpd_t $1_print_spool_t:file { read_file_perms rename_file_perms delete_file_perms };
kernel_read_kernel_sysctls($1_lpr_t)
@@ -247,12 +241,7 @@ interface(`lpd_domtrans_checkpc',`
type checkpc_t, checkpc_exec_t;
')
- domain_auto_trans($1,checkpc_exec_t,checkpc_t)
-
- allow $1 checkpc_t:fd use;
- allow checkpc_t $1:fd use;
- allow checkpc_t $1:fifo_file rw_file_perms;
- allow checkpc_t $1:process sigchld;
+ domtrans_pattern($1,checkpc_exec_t,checkpc_t)
')
########################################
@@ -322,10 +311,10 @@ interface(`lpd_manage_spool',`
')
files_search_spool($1)
+ manage_files_pattern($1,print_spool_t,print_spool_t)
# cjp: cups wants setattr
- allow $1 print_spool_t:dir { rw_dir_perms setattr };
- allow $1 print_spool_t:file manage_file_perms;
+ allow $1 print_spool_t:dir setattr;
')
########################################
@@ -364,7 +353,7 @@ interface(`lpd_read_config',`
')
allow $1 printconf_t:dir list_dir_perms;
- allow $1 printconf_t:file r_file_perms;
+ read_files_pattern($1,printconf_t,printconf_t)
')
########################################
@@ -397,10 +386,5 @@ template(`lpd_domtrans_user_lpr',`
type $1_lpr_t, lpr_exec_t;
')
- domain_auto_trans($2, lpr_exec_t, $1_lpr_t)
- allow $2 $1_lpr_t:fd use;
- allow $1_lpr_t $2:fd use;
- allow $1_lpr_t $2:fifo_file rw_file_perms;
- allow $1_lpr_t $2:process sigchld;
+ domtrans_pattern($2, lpr_exec_t, $1_lpr_t)
')
-
diff --git a/policy/modules/services/lpd.te b/policy/modules/services/lpd.te
index 4d098e20..ade931e8 100644
--- a/policy/modules/services/lpd.te
+++ b/policy/modules/services/lpd.te
@@ -50,14 +50,14 @@ allow checkpc_t self:unix_stream_socket create_socket_perms;
allow checkpc_t self:tcp_socket create_socket_perms;
allow checkpc_t self:udp_socket create_socket_perms;
-allow checkpc_t checkpc_log_t:file create_file_perms;
+allow checkpc_t checkpc_log_t:file manage_file_perms;
logging_log_filetrans(checkpc_t,checkpc_log_t,file)
-allow checkpc_t lpd_var_run_t:dir { search getattr };
+allow checkpc_t lpd_var_run_t:dir search_dir_perms;
files_search_pids(checkpc_t)
-allow checkpc_t print_spool_t:file { rw_file_perms unlink };
-allow checkpc_t print_spool_t:dir { read write search add_name remove_name getattr };
+rw_files_pattern(checkpc_t,print_spool_t,print_spool_t)
+delete_files_pattern(checkpc_t,print_spool_t,print_spool_t)
files_search_spool(checkpc_t)
allow checkpc_t printconf_t:file getattr;
@@ -121,25 +121,22 @@ optional_policy(`
allow lpd_t self:capability { setgid setuid net_bind_service dac_read_search dac_override chown fowner };
dontaudit lpd_t self:capability sys_tty_config;
allow lpd_t self:process signal_perms;
-allow lpd_t self:fifo_file rw_file_perms;
+allow lpd_t self:fifo_file rw_fifo_file_perms;
allow lpd_t self:unix_stream_socket create_stream_socket_perms;
allow lpd_t self:unix_dgram_socket create_socket_perms;
allow lpd_t self:tcp_socket create_stream_socket_perms;
allow lpd_t self:udp_socket create_stream_socket_perms;
-allow lpd_t lpd_tmp_t:dir create_dir_perms;
-allow lpd_t lpd_tmp_t:file create_file_perms;
+manage_dirs_pattern(lpd_t,lpd_tmp_t,lpd_tmp_t)
+manage_files_pattern(lpd_t,lpd_tmp_t,lpd_tmp_t)
files_tmp_filetrans(lpd_t, lpd_tmp_t, { file dir })
-allow lpd_t lpd_var_run_t:dir rw_dir_perms;
-allow lpd_t lpd_var_run_t:file create_file_perms;
-allow lpd_t lpd_var_run_t:sock_file create_file_perms;
+manage_files_pattern(lpd_t,lpd_var_run_t,lpd_var_run_t)
+manage_sock_files_pattern(lpd_t,lpd_var_run_t,lpd_var_run_t)
files_pid_filetrans(lpd_t,lpd_var_run_t,file)
# Write to /var/spool/lpd.
-allow lpd_t print_spool_t:dir rw_dir_perms;
-allow lpd_t print_spool_t:file create_file_perms;
-allow lpd_t print_spool_t:file rw_file_perms;
+manage_files_pattern(lpd_t,print_spool_t,print_spool_t)
files_search_spool(lpd_t)
# lpd must be able to execute the filter utilities in /usr/share/printconf.
@@ -147,11 +144,8 @@ allow lpd_t printconf_t:dir { getattr search read };
can_exec(lpd_t, printconf_t)
# Create and bind to /dev/printer.
-allow lpd_t printer_t:lnk_file create_lnk_perms;
+allow lpd_t printer_t:lnk_file manage_lnk_file_perms;
dev_filetrans(lpd_t,printer_t,lnk_file)
-# cjp: I believe these have no effect:
-allow lpd_t printer_t:unix_stream_socket name_bind;
-allow lpd_t printer_t:unix_dgram_socket name_bind;
kernel_read_kernel_sysctls(lpd_t)
# bash wants access to /proc/meminfo
diff --git a/policy/modules/services/mailman.if b/policy/modules/services/mailman.if
index 68a2588e..e7344da3 100644
--- a/policy/modules/services/mailman.if
+++ b/policy/modules/services/mailman.if
@@ -31,20 +31,18 @@ template(`mailman_domain_template', `
allow mailman_$1_t self:tcp_socket create_stream_socket_perms;
allow mailman_$1_t self:udp_socket create_socket_perms;
- allow mailman_$1_t mailman_data_t:dir create_dir_perms;
- allow mailman_$1_t mailman_data_t:file create_file_perms;
- allow mailman_$1_t mailman_data_t:lnk_file create_lnk_perms;
+ manage_dirs_pattern(mailman_$1_t,mailman_data_t,mailman_data_t)
+ manage_files_pattern(mailman_$1_t,mailman_data_t,mailman_data_t)
+ manage_lnk_files_pattern(mailman_$1_t,mailman_data_t,mailman_data_t)
- allow mailman_$1_t mailman_lock_t:dir rw_dir_perms;
- allow mailman_$1_t mailman_lock_t:file create_file_perms;
+ manage_files_pattern(mailman_$1_t,mailman_lock_t,mailman_lock_t)
files_lock_filetrans(mailman_$1_t,mailman_lock_t,file)
- allow mailman_$1_t mailman_log_t:dir rw_dir_perms;
- allow mailman_$1_t mailman_log_t:file create_file_perms;
+ manage_files_pattern(mailman_$1_t,mailman_log_t,mailman_log_t)
logging_log_filetrans(mailman_$1_t,mailman_log_t,file)
- allow mailman_$1_t mailman_$1_tmp_t:dir create_dir_perms;
- allow mailman_$1_t mailman_$1_tmp_t:file create_file_perms;
+ manage_dirs_pattern(mailman_$1_t,mailman_$1_tmp_t,mailman_$1_tmp_t)
+ manage_files_pattern(mailman_$1_t,mailman_$1_tmp_t,mailman_$1_tmp_t)
files_tmp_filetrans(mailman_$1_t, mailman_$1_tmp_t, { file dir })
kernel_read_kernel_sysctls(mailman_$1_t)
@@ -106,12 +104,7 @@ interface(`mailman_domtrans',`
type mailman_mail_exec_t, mailman_mail_t;
')
- domain_auto_trans($1, mailman_mail_exec_t, mailman_mail_t)
-
- allow $1 mailman_mail_t:fd use;
- allow mailman_mail_t $1:fd use;
- allow mailman_mail_t $1:fifo_file rw_file_perms;
- allow mailman_mail_t $1:process sigchld;
+ domtrans_pattern($1, mailman_mail_exec_t, mailman_mail_t)
')
#######################################
@@ -130,12 +123,7 @@ interface(`mailman_domtrans_cgi',`
type mailman_cgi_exec_t, mailman_cgi_t;
')
- domain_auto_trans($1, mailman_cgi_exec_t, mailman_cgi_t)
-
- allow $1 mailman_cgi_t:fd use;
- allow mailman_cgi_t $1:fd use;
- allow mailman_cgi_t $1:fifo_file rw_file_perms;
- allow mailman_cgi_t $1:process sigchld;
+ domtrans_pattern($1, mailman_cgi_exec_t, mailman_cgi_t)
')
#######################################
@@ -207,8 +195,7 @@ interface(`mailman_read_data_files',`
type mailman_data_t;
')
- allow $1 mailman_data_t:dir search_dir_perms;
- allow $1 mailman_data_t:file read_file_perms;
+ read_files_pattern($1,mailman_data_t,mailman_data_t)
')
#######################################
@@ -227,8 +214,7 @@ interface(`mailman_manage_data_files',`
type mailman_data_t;
')
- allow $1 mailman_data_t:dir rw_dir_perms;
- allow $1 mailman_data_t:file manage_file_perms;
+ manage_files_pattern($1,mailman_data_t,mailman_data_t)
')
#######################################
@@ -246,7 +232,7 @@ interface(`mailman_list_data',`
type mailman_data_t;
')
- allow $1 mailman_data_t:dir r_dir_perms;
+ allow $1 mailman_data_t:dir list_dir_perms;
')
#######################################
@@ -264,8 +250,7 @@ interface(`mailman_read_data_symlinks',`
type mailman_data_t;
')
- allow $1 mailman_data_t:dir search;
- allow $1 mailman_data_t:lnk_file read;
+ read_lnk_files_pattern($1,mailman_data_t,mailman_data_t)
')
#######################################
@@ -284,9 +269,8 @@ interface(`mailman_manage_log',`
type mailman_log_t;
')
- allow $1 mailman_log_t:dir rw_dir_perms;
- allow $1 mailman_log_t:file create_file_perms;
- allow $1 mailman_log_t:lnk_file create_lnk_perms;
+ manage_files_pattern($1,mailman_log_t,mailman_log_t)
+ manage_lnk_files_pattern($1,mailman_log_t,mailman_log_t)
')
#######################################
@@ -305,11 +289,10 @@ interface(`mailman_read_archive',`
')
allow $1 mailman_archive_t:dir list_dir_perms;
- allow $1 mailman_archive_t:file r_file_perms;
- allow $1 mailman_archive_t:lnk_file { getattr read };
+ read_files_pattern($1,mailman_archive_t,mailman_archive_t)
+ read_lnk_files_pattern($1,mailman_archive_t,mailman_archive_t)
')
-
#######################################
##
## Execute mailman_queue in the mailman_queue domain.
@@ -325,11 +308,5 @@ interface(`mailman_domtrans_queue',`
type mailman_queue_exec_t, mailman_queue_t;
')
- domain_auto_trans($1, mailman_queue_exec_t, mailman_queue_t)
-
- allow $1 mailman_queue_t:fd use;
- allow mailman_queue_t $1:fd use;
- allow mailman_queue_t $1:fifo_file rw_file_perms;
- allow mailman_queue_t $1:process sigchld;
+ domtrans_pattern($1, mailman_queue_exec_t, mailman_queue_t)
')
-
diff --git a/policy/modules/services/mailman.te b/policy/modules/services/mailman.te
index cd1469cc..a5235419 100644
--- a/policy/modules/services/mailman.te
+++ b/policy/modules/services/mailman.te
@@ -40,9 +40,9 @@ optional_policy(`
dev_read_urand(mailman_cgi_t)
- allow mailman_cgi_t mailman_archive_t:dir create_dir_perms;
- allow mailman_cgi_t mailman_archive_t:lnk_file create_lnk_perms;
- allow mailman_cgi_t mailman_archive_t:file create_file_perms;
+ manage_dirs_pattern(mailman_cgi_t,mailman_archive_t,mailman_archive_t)
+ manage_files_pattern(mailman_cgi_t,mailman_archive_t,mailman_archive_t)
+ manage_lnk_files_pattern(mailman_cgi_t,mailman_archive_t,mailman_archive_t)
files_search_spool(mailman_cgi_t)
@@ -85,13 +85,13 @@ optional_policy(`
allow mailman_queue_t self:capability { setgid setuid };
allow mailman_queue_t self:process signal;
-allow mailman_queue_t self:fifo_file rw_file_perms;
+allow mailman_queue_t self:fifo_file rw_fifo_file_perms;
allow mailman_queue_t self:unix_dgram_socket create_socket_perms;
allow mailman_queue_t self:netlink_route_socket r_netlink_socket_perms;
-allow mailman_queue_t mailman_archive_t:dir create_dir_perms;
-allow mailman_queue_t mailman_archive_t:file create_file_perms;
-allow mailman_queue_t mailman_archive_t:lnk_file create_lnk_perms;
+manage_dirs_pattern(mailman_queue_t,mailman_archive_t,mailman_archive_t)
+manage_files_pattern(mailman_queue_t,mailman_archive_t,mailman_archive_t)
+manage_lnk_files_pattern(mailman_queue_t,mailman_archive_t,mailman_archive_t)
kernel_read_proc_symlinks(mailman_queue_t)
diff --git a/policy/modules/services/monop.te b/policy/modules/services/monop.te
index c0694609..3404d4f2 100644
--- a/policy/modules/services/monop.te
+++ b/policy/modules/services/monop.te
@@ -32,12 +32,11 @@ allow monopd_t self:udp_socket create_socket_perms;
allow monopd_t monopd_etc_t:file { getattr read };
files_search_etc(monopd_t)
-allow monopd_t monopd_share_t:dir r_dir_perms;
-allow monopd_t monopd_share_t:file r_file_perms;
-allow monopd_t monopd_share_t:lnk_file { getattr read };
+allow monopd_t monopd_share_t:dir list_dir_perms;
+read_files_pattern(monopd_t,monopd_share_t,monopd_share_t)
+read_lnk_files_pattern(monopd_t,monopd_share_t,monopd_share_t)
-allow monopd_t monopd_var_run_t:file create_file_perms;
-allow monopd_t monopd_var_run_t:dir rw_dir_perms;
+manage_files_pattern(monopd_t,monopd_var_run_t,monopd_var_run_t)
files_pid_filetrans(monopd_t,monopd_var_run_t,file)
kernel_read_kernel_sysctls(monopd_t)
diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
index e388b871..1a03d844 100644
--- a/policy/modules/services/mta.if
+++ b/policy/modules/services/mta.if
@@ -63,7 +63,7 @@ template(`mta_base_mail_template',`
# re-exec itself
can_exec($1_mail_t, sendmail_exec_t)
- allow $1_mail_t sendmail_exec_t:lnk_file r_file_perms;
+ allow $1_mail_t sendmail_exec_t:lnk_file read_lnk_file_perms;
kernel_read_kernel_sysctls($1_mail_t)
@@ -118,17 +118,15 @@ template(`mta_base_mail_template',`
type etc_mail_t, mail_spool_t, mqueue_spool_t;
')
- allow $1_mail_t $1_mail_tmp_t:dir create_dir_perms;
- allow $1_mail_t $1_mail_tmp_t:file create_file_perms;
+ manage_dirs_pattern($1_mail_t,$1_mail_tmp_t,$1_mail_tmp_t)
+ manage_files_pattern($1_mail_t,$1_mail_tmp_t,$1_mail_tmp_t)
files_tmp_filetrans($1_mail_t, $1_mail_tmp_t, { file dir })
allow $1_mail_t etc_mail_t:dir { getattr search };
# Write to /var/spool/mail and /var/spool/mqueue.
- allow $1_mail_t mail_spool_t:dir rw_dir_perms;
- allow $1_mail_t mail_spool_t:file create_file_perms;
- allow $1_mail_t mqueue_spool_t:dir rw_dir_perms;
- allow $1_mail_t mqueue_spool_t:file create_file_perms;
+ manage_files_pattern($1_mail_t,mail_spool_t,mail_spool_t)
+ manage_files_pattern($1_mail_t,mqueue_spool_t,mqueue_spool_t)
# Check available space.
fs_getattr_xattr_fs($1_mail_t)
@@ -191,14 +189,9 @@ template(`mta_per_role_template',`
#
# Transition from the user domain to the derived domain.
- domain_auto_trans($2, sendmail_exec_t, $1_mail_t)
+ domtrans_pattern($2, sendmail_exec_t, $1_mail_t)
allow $2 sendmail_exec_t:lnk_file { getattr read };
- allow $2 $1_mail_t:fd use;
- allow $1_mail_t $2:fd use;
- allow $1_mail_t $2:fifo_file rw_file_perms;
- allow $1_mail_t $2:process sigchld;
-
domain_use_interactive_fds($1_mail_t)
userdom_use_user_terminals($1,$1_mail_t)
@@ -275,11 +268,11 @@ template(`mta_admin_template',`
allow mta_user_agent $2:fifo_file { read write };
- allow $1_mail_t etc_aliases_t:dir create_dir_perms;
- allow $1_mail_t etc_aliases_t:file create_file_perms;
- allow $1_mail_t etc_aliases_t:lnk_file create_lnk_perms;
- allow $1_mail_t etc_aliases_t:sock_file create_file_perms;
- allow $1_mail_t etc_aliases_t:fifo_file create_file_perms;
+ manage_dirs_pattern($1_mail_t,etc_aliases_t,etc_aliases_t)
+ manage_files_pattern($1_mail_t,etc_aliases_t,etc_aliases_t)
+ manage_lnk_files_pattern($1_mail_t,etc_aliases_t,etc_aliases_t)
+ manage_fifo_files_pattern($1_mail_t,etc_aliases_t,etc_aliases_t)
+ manage_sock_files_pattern($1_mail_t,etc_aliases_t,etc_aliases_t)
files_etc_filetrans($1_mail_t,etc_aliases_t,{ file lnk_file sock_file fifo_file })
# postfix needs this for newaliases
@@ -390,9 +383,11 @@ interface(`mta_mailserver_delivery',`
typeattribute $1 mailserver_delivery;
- allow $1 mail_spool_t:dir ra_dir_perms;
- allow $1 mail_spool_t:file { create ioctl read getattr lock append };
- allow $1 mail_spool_t:lnk_file { create read getattr };
+ allow $1 mail_spool_t:dir list_dir_perms;
+ create_files_pattern($1,mail_spool_t,mail_spool_t)
+ read_files_pattern($1,mail_spool_t,mail_spool_t)
+ create_lnk_files_pattern($1,mail_spool_t,mail_spool_t)
+ read_lnk_files_pattern($1,mail_spool_t,mail_spool_t)
optional_policy(`
dovecot_manage_spool($1)
@@ -449,7 +444,7 @@ interface(`mta_send_mail',`
type system_mail_t, sendmail_exec_t;
')
- allow $1 sendmail_exec_t:lnk_file r_file_perms;
+ allow $1 sendmail_exec_t:lnk_file read_lnk_file_perms;
domain_auto_trans($1, sendmail_exec_t, system_mail_t)
allow $1 system_mail_t:fd use;
@@ -533,8 +528,8 @@ interface(`mta_read_config',`
files_search_etc($1)
allow $1 etc_mail_t:dir list_dir_perms;
- allow $1 etc_mail_t:file r_file_perms;
- allow $1 etc_mail_t:lnk_file { getattr read };
+ read_files_pattern($1,etc_mail_t,etc_mail_t)
+ read_lnk_files_pattern($1,etc_mail_t,etc_mail_t)
')
########################################
@@ -553,7 +548,7 @@ interface(`mta_read_aliases',`
')
files_search_etc($1)
- allow $1 etc_aliases_t:file r_file_perms;
+ allow $1 etc_aliases_t:file read_file_perms;
')
########################################
@@ -663,7 +658,7 @@ interface(`mta_getattr_spool',`
')
files_search_spool($1)
- allow $1 mail_spool_t:dir r_dir_perms;
+ allow $1 mail_spool_t:dir list_dir_perms;
allow $1 mail_spool_t:lnk_file read;
allow $1 mail_spool_t:file getattr;
')
@@ -717,8 +712,7 @@ interface(`mta_spool_filetrans',`
')
files_search_spool($1)
- allow $1 mail_spool_t:dir rw_dir_perms;
- type_transition $1 mail_spool_t:$3 $2;
+ filetrans_pattern($1,mail_spool_t,$2,$3)
')
########################################
@@ -737,9 +731,10 @@ interface(`mta_rw_spool',`
')
files_search_spool($1)
- allow $1 mail_spool_t:dir r_dir_perms;
- allow $1 mail_spool_t:lnk_file { getattr read };
- allow $1 mail_spool_t:file { rw_file_perms setattr };
+ allow $1 mail_spool_t:dir list_dir_perms;
+ allow $1 mail_spool_t:file setattr;
+ rw_files_pattern($1,mail_spool_t,mail_spool_t)
+ read_lnk_files_pattern($1,mail_spool_t,mail_spool_t)
')
#######################################
@@ -758,9 +753,10 @@ interface(`mta_append_spool',`
')
files_search_spool($1)
- allow $1 mail_spool_t:dir ra_dir_perms;
- allow $1 mail_spool_t:lnk_file { getattr read };
- allow $1 mail_spool_t:file create_file_perms;
+ allow $1 mail_spool_t:dir list_dir_perms;
+ create_files_pattern($1,mail_spool_t,mail_spool_t)
+ write_files_pattern($1,mail_spool_t,mail_spool_t)
+ read_lnk_files_pattern($1,mail_spool_t,mail_spool_t)
')
#######################################
@@ -779,8 +775,7 @@ interface(`mta_delete_spool',`
')
files_search_spool($1)
- allow $1 mail_spool_t:dir { list_dir_perms write remove_name };
- allow $1 mail_spool_t:file unlink;
+ delete_files_pattern($1,mail_spool_t,mail_spool_t)
')
########################################
@@ -799,9 +794,9 @@ interface(`mta_manage_spool',`
')
files_search_spool($1)
- allow $1 mail_spool_t:dir manage_dir_perms;
- allow $1 mail_spool_t:lnk_file create_lnk_perms;
- allow $1 mail_spool_t:file manage_file_perms;
+ manage_dirs_pattern($1,mail_spool_t,mail_spool_t)
+ manage_files_pattern($1,mail_spool_t,mail_spool_t)
+ manage_lnk_files_pattern($1,mail_spool_t,mail_spool_t)
')
#######################################
@@ -841,8 +836,7 @@ interface(`mta_manage_queue',`
')
files_search_spool($1)
- allow $1 mqueue_spool_t:dir rw_dir_perms;
- allow $1 mqueue_spool_t:file create_file_perms;
+ manage_files_pattern($1,mqueue_spool_t,mqueue_spool_t)
')
#######################################
@@ -861,7 +855,7 @@ interface(`mta_read_sendmail_bin',`
type sendmail_exec_t;
')
- allow $1 sendmail_exec_t:file r_file_perms;
+ allow $1 sendmail_exec_t:file read_file_perms;
')
#######################################
diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
index 47549676..e6fdef48 100644
--- a/policy/modules/services/mta.te
+++ b/policy/modules/services/mta.te
@@ -47,8 +47,7 @@ role system_r types system_mail_t;
# newalias required this, not sure if it is needed in 'if' file
allow system_mail_t self:capability { dac_override };
-allow system_mail_t etc_mail_t:dir { getattr search };
-allow system_mail_t etc_mail_t:file r_file_perms;
+read_files_pattern(system_mail_t,etc_mail_t,etc_mail_t)
kernel_read_system_state(system_mail_t)
kernel_read_network_state(system_mail_t)
@@ -63,14 +62,10 @@ userdom_use_sysadm_terms(system_mail_t)
ifdef(`targeted_policy',`
typealias system_mail_t alias sysadm_mail_t;
- allow system_mail_t mail_spool_t:dir create_dir_perms;
- allow system_mail_t mail_spool_t:file create_file_perms;
- allow system_mail_t mail_spool_t:lnk_file create_lnk_perms;
- allow system_mail_t mail_spool_t:fifo_file rw_file_perms;
-
- allow system_mail_t mqueue_spool_t:dir create_dir_perms;
- allow system_mail_t mqueue_spool_t:file create_file_perms;
- allow system_mail_t mqueue_spool_t:lnk_file create_lnk_perms;
+ manage_dirs_pattern(system_mail_t,mail_spool_t,mail_spool_t)
+ manage_files_pattern(system_mail_t,mail_spool_t,mail_spool_t)
+ manage_lnk_files_pattern(system_mail_t,mail_spool_t,mail_spool_t)
+ manage_fifo_files_pattern(system_mail_t,mail_spool_t,mail_spool_t)
# for reading .forward - maybe we need a new type for it?
# also for delivering mail to maildir
@@ -133,11 +128,11 @@ optional_policy(`
')
optional_policy(`
- allow system_mail_t etc_aliases_t:dir create_dir_perms;
- allow system_mail_t etc_aliases_t:file create_file_perms;
- allow system_mail_t etc_aliases_t:lnk_file create_lnk_perms;
- allow system_mail_t etc_aliases_t:sock_file create_file_perms;
- allow system_mail_t etc_aliases_t:fifo_file create_file_perms;
+ manage_dirs_pattern(system_mail_t,etc_aliases_t,etc_aliases_t)
+ manage_files_pattern(system_mail_t,etc_aliases_t,etc_aliases_t)
+ manage_lnk_files_pattern(system_mail_t,etc_aliases_t,etc_aliases_t)
+ manage_fifo_files_pattern(system_mail_t,etc_aliases_t,etc_aliases_t)
+ manage_sock_files_pattern(system_mail_t,etc_aliases_t,etc_aliases_t)
files_etc_filetrans(system_mail_t,etc_aliases_t,{ file lnk_file sock_file fifo_file })
domain_use_interactive_fds(system_mail_t)
diff --git a/policy/modules/services/munin.te b/policy/modules/services/munin.te
index e59c7822..9b3bd9ab 100644
--- a/policy/modules/services/munin.te
+++ b/policy/modules/services/munin.te
@@ -38,27 +38,26 @@ allow munin_t self:unix_dgram_socket { create_socket_perms sendto };
allow munin_t self:tcp_socket create_stream_socket_perms;
allow munin_t self:udp_socket create_socket_perms;
-allow munin_t munin_etc_t:file r_file_perms;
-allow munin_t munin_etc_t:dir r_dir_perms;
-allow munin_t munin_etc_t:lnk_file { getattr read };
+allow munin_t munin_etc_t:dir list_dir_perms;
+read_files_pattern(munin_t,munin_etc_t,munin_etc_t)
+read_lnk_files_pattern(munin_t,munin_etc_t,munin_etc_t)
files_search_etc(munin_t)
-allow munin_t munin_log_t:file create_file_perms;
+allow munin_t munin_log_t:file manage_file_perms;
logging_log_filetrans(munin_t,munin_log_t,file)
-allow munin_t munin_tmp_t:dir create_dir_perms;
-allow munin_t munin_tmp_t:file create_file_perms;
+manage_dirs_pattern(munin_t,munin_tmp_t,munin_tmp_t)
+manage_files_pattern(munin_t,munin_tmp_t,munin_tmp_t)
files_tmp_filetrans(munin_t, munin_tmp_t, { file dir })
# Allow access to the munin databases
-allow munin_t munin_var_lib_t:dir create_dir_perms;
-allow munin_t munin_var_lib_t:file create_file_perms;
-allow munin_t munin_var_lib_t:lnk_file create_lnk_perms;
+manage_dirs_pattern(munin_t,munin_var_lib_t,munin_var_lib_t)
+manage_files_pattern(munin_t,munin_var_lib_t,munin_var_lib_t)
+manage_lnk_files_pattern(munin_t,munin_var_lib_t,munin_var_lib_t)
files_search_var_lib(munin_t)
-allow munin_t munin_var_run_t:sock_file manage_file_perms;
-allow munin_t munin_var_run_t:file manage_file_perms;
-allow munin_t munin_var_run_t:dir rw_dir_perms;
+manage_files_pattern(munin_t,munin_var_run_t,munin_var_run_t)
+manage_sock_files_pattern(munin_t,munin_var_run_t,munin_var_run_t)
files_pid_filetrans(munin_t,munin_var_run_t,file)
kernel_read_system_state(munin_t)
diff --git a/policy/modules/services/mysql.if b/policy/modules/services/mysql.if
index b75e9d08..2f14308d 100644
--- a/policy/modules/services/mysql.if
+++ b/policy/modules/services/mysql.if
@@ -34,9 +34,7 @@ interface(`mysql_stream_connect',`
type mysqld_t, mysqld_var_run_t;
')
- allow $1 mysqld_var_run_t:dir search;
- allow $1 mysqld_var_run_t:sock_file write;
- allow $1 mysqld_t:unix_stream_socket connectto;
+ stream_connect_pattern($1,mysqld_var_run_t,mysqld_var_run_t,mysqld_t)
')
########################################
@@ -117,7 +115,7 @@ interface(`mysql_manage_db_dirs',`
')
files_search_var_lib($1)
- allow $1 mysqld_db_t:dir create_dir_perms;
+ allow $1 mysqld_db_t:dir manage_dir_perms;
')
########################################
diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te
index e7c23ab0..a75f518b 100644
--- a/policy/modules/services/mysql.te
+++ b/policy/modules/services/mysql.te
@@ -38,25 +38,24 @@ allow mysqld_t self:unix_stream_socket create_stream_socket_perms;
allow mysqld_t self:tcp_socket create_stream_socket_perms;
allow mysqld_t self:udp_socket create_socket_perms;
-allow mysqld_t mysqld_db_t:dir create_dir_perms;
-allow mysqld_t mysqld_db_t:file create_file_perms;
-allow mysqld_t mysqld_db_t:lnk_file create_lnk_perms;
+manage_dirs_pattern(mysqld_t,mysqld_db_t,mysqld_db_t)
+manage_files_pattern(mysqld_t,mysqld_db_t,mysqld_db_t)
+manage_lnk_files_pattern(mysqld_t,mysqld_db_t,mysqld_db_t)
files_var_lib_filetrans(mysqld_t,mysqld_db_t,{ dir file })
allow mysqld_t mysqld_etc_t:file { getattr read };
allow mysqld_t mysqld_etc_t:lnk_file { getattr read };
allow mysqld_t mysqld_etc_t:dir list_dir_perms;
-allow mysqld_t mysqld_log_t:file create_file_perms;
+allow mysqld_t mysqld_log_t:file manage_file_perms;
logging_log_filetrans(mysqld_t,mysqld_log_t,file)
-allow mysqld_t mysqld_tmp_t:dir create_dir_perms;
-allow mysqld_t mysqld_tmp_t:file create_file_perms;
+manage_dirs_pattern(mysqld_t,mysqld_tmp_t,mysqld_tmp_t)
+manage_files_pattern(mysqld_t,mysqld_tmp_t,mysqld_tmp_t)
files_tmp_filetrans(mysqld_t, mysqld_tmp_t, { file dir })
-allow mysqld_t mysqld_var_run_t:dir rw_dir_perms;
-allow mysqld_t mysqld_var_run_t:sock_file create_file_perms;
-allow mysqld_t mysqld_var_run_t:file create_file_perms;
+manage_files_pattern(mysqld_t,mysqld_var_run_t,mysqld_var_run_t)
+manage_sock_files_pattern(mysqld_t,mysqld_var_run_t,mysqld_var_run_t)
files_pid_filetrans(mysqld_t,mysqld_var_run_t,file)
kernel_read_system_state(mysqld_t)
diff --git a/policy/modules/services/nagios.if b/policy/modules/services/nagios.if
index 6aa14d28..d34c0350 100644
--- a/policy/modules/services/nagios.if
+++ b/policy/modules/services/nagios.if
@@ -18,7 +18,7 @@ interface(`nagios_read_config',`
')
allow $1 nagios_etc_t:dir list_dir_perms;
- allow $1 nagios_etc_t:file r_file_perms;
+ allow $1 nagios_etc_t:file read_file_perms;
files_search_etc($1)
')
@@ -38,7 +38,7 @@ interface(`nagios_read_tmp_files',`
type nagios_tmp_t;
')
- allow $1 nagios_tmp_t:file r_file_perms;
+ allow $1 nagios_tmp_t:file read_file_perms;
files_search_tmp($1)
')
@@ -58,10 +58,7 @@ interface(`nagios_domtrans_cgi',`
type nagios_cgi_t, nagios_cgi_exec_t;
')
- domain_auto_trans($1,nagios_cgi_exec_t,nagios_cgi_t)
- allow nagios_cgi_t $1:fd use;
- allow nagios_cgi_t $1:fifo_file rw_file_perms;
- allow nagios_cgi_t $1:process sigchld;
+ domtrans_pattern($1,nagios_cgi_exec_t,nagios_cgi_t)
')
########################################
@@ -80,8 +77,5 @@ interface(`nagios_domtrans_nrpe',`
type nrpe_t, nrpe_exec_t;
')
- domain_auto_trans($1,nrpe_exec_t,nrpe_t)
- allow nrpe_t $1:fd use;
- allow nrpe_t $1:fifo_file rw_file_perms;
- allow nrpe_t $1:process sigchld;
+ domtrans_pattern($1,nrpe_exec_t,nrpe_t)
')
diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te
index 90c47fea..8572d5ab 100644
--- a/policy/modules/services/nagios.te
+++ b/policy/modules/services/nagios.te
@@ -45,21 +45,19 @@ allow nagios_t self:fifo_file rw_file_perms;
allow nagios_t self:tcp_socket create_stream_socket_perms;
allow nagios_t self:udp_socket create_socket_perms;
-allow nagios_t nagios_etc_t:file r_file_perms;
-allow nagios_t nagios_etc_t:dir r_dir_perms;
-allow nagios_t nagios_etc_t:lnk_file { getattr read };
+read_files_pattern(nagios_t,nagios_etc_t,nagios_etc_t)
+read_lnk_files_pattern(nagios_t,nagios_etc_t,nagios_etc_t)
+allow nagios_t nagios_etc_t:dir list_dir_perms;
-allow nagios_t nagios_log_t:file manage_file_perms;
-allow nagios_t nagios_log_t:fifo_file manage_file_perms;
-allow nagios_t nagios_log_t:dir rw_dir_perms;
+manage_files_pattern(nagios_t,nagios_log_t,nagios_log_t)
+manage_fifo_files_pattern(nagios_t,nagios_log_t,nagios_log_t)
logging_log_filetrans(nagios_t,nagios_log_t,{ file dir })
-allow nagios_t nagios_tmp_t:dir create_dir_perms;
-allow nagios_t nagios_tmp_t:file create_file_perms;
+manage_dirs_pattern(nagios_t,nagios_tmp_t,nagios_tmp_t)
+manage_files_pattern(nagios_t,nagios_tmp_t,nagios_tmp_t)
files_tmp_filetrans(nagios_t, nagios_tmp_t, { file dir })
-allow nagios_t nagios_var_run_t:file create_file_perms;
-allow nagios_t nagios_var_run_t:dir rw_dir_perms;
+manage_files_pattern(nagios_t,nagios_var_run_t,nagios_var_run_t)
files_pid_filetrans(nagios_t,nagios_var_run_t,file)
kernel_read_system_state(nagios_t)
@@ -148,20 +146,19 @@ optional_policy(`
# Nagios CGI local policy
#
-allow nagios_cgi_t self:process { fork signal_perms };
-allow nagios_cgi_t self:fifo_file rw_file_perms;
+allow nagios_cgi_t self:process signal_perms;
+allow nagios_cgi_t self:fifo_file rw_fifo_file_perms;
-allow nagios_cgi_t nagios_t:dir r_dir_perms;
-allow nagios_cgi_t nagios_t:file r_file_perms;
-allow nagios_cgi_t nagios_t:lnk_file { getattr read };
+read_files_pattern(nagios_cgi_t,nagios_t,nagios_t)
+read_lnk_files_pattern(nagios_cgi_t,nagios_t,nagios_t)
-allow nagios_cgi_t nagios_etc_t:dir r_dir_perms;
-allow nagios_cgi_t nagios_etc_t:file r_file_perms;
-allow nagios_cgi_t nagios_etc_t:lnk_file { getattr read };
+allow nagios_cgi_t nagios_etc_t:dir list_dir_perms;
+read_files_pattern(nagios_cgi_t,nagios_etc_t,nagios_etc_t)
+read_lnk_files_pattern(nagios_cgi_t,nagios_etc_t,nagios_etc_t)
-allow nagios_cgi_t nagios_log_t:dir r_dir_perms;
-allow nagios_cgi_t nagios_log_t:file r_file_perms;
-allow nagios_cgi_t nagios_log_t:lnk_file { getattr read };
+allow nagios_cgi_t nagios_log_t:dir list_dir_perms;
+read_files_pattern(nagios_cgi_t,nagios_etc_t,nagios_log_t)
+read_lnk_files_pattern(nagios_cgi_t,nagios_etc_t,nagios_log_t)
kernel_read_system_state(nagios_cgi_t)
@@ -192,7 +189,7 @@ optional_policy(`
dontaudit nrpe_t self:capability sys_tty_config;
allow nrpe_t self:process { setpgid signal_perms };
-allow nrpe_t self:fifo_file rw_file_perms;
+allow nrpe_t self:fifo_file rw_fifo_file_perms;
allow nrpe_t nrpe_etc_t:file { getattr read };
files_search_etc(nrpe_t)
diff --git a/policy/modules/services/nessus.te b/policy/modules/services/nessus.te
index 24657c60..0c76b005 100644
--- a/policy/modules/services/nessus.te
+++ b/policy/modules/services/nessus.te
@@ -37,20 +37,18 @@ allow nessusd_t self:rawip_socket create_socket_perms;
allow nessusd_t self:packet_socket create_socket_perms;
# Allow access to the nessusd authentication database
-allow nessusd_t nessusd_db_t:dir create_dir_perms;
-allow nessusd_t nessusd_db_t:file create_file_perms;
-allow nessusd_t nessusd_db_t:lnk_file create_lnk_perms;
+manage_dirs_pattern(nessusd_t,nessusd_db_t,nessusd_db_t)
+manage_files_pattern(nessusd_t,nessusd_db_t,nessusd_db_t)
+manage_lnk_files_pattern(nessusd_t,nessusd_db_t,nessusd_db_t)
files_list_var_lib(nessusd_t)
allow nessusd_t nessusd_etc_t:file { getattr read };
files_search_etc(nessusd_t)
-allow nessusd_t nessusd_log_t:file create_file_perms;
-allow nessusd_t nessusd_log_t:dir rw_dir_perms;
+manage_files_pattern(nessusd_t,nessusd_log_t,nessusd_log_t)
logging_log_filetrans(nessusd_t,nessusd_log_t,{ file dir })
-allow nessusd_t nessusd_var_run_t:file create_file_perms;
-allow nessusd_t nessusd_var_run_t:dir rw_dir_perms;
+manage_files_pattern(nessusd_t,nessusd_var_run_t,nessusd_var_run_t)
files_pid_filetrans(nessusd_t,nessusd_var_run_t,file)
kernel_read_system_state(nessusd_t)
diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
index be2f7a1b..01b7dc92 100644
--- a/policy/modules/services/networkmanager.te
+++ b/policy/modules/services/networkmanager.te
@@ -20,10 +20,10 @@ files_pid_file(NetworkManager_var_run_t)
# networkmanager will ptrace itself if gdb is installed
# and it receives a unexpected signal (rh bug #204161)
-allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service ipc_lock};
+allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service ipc_lock };
dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace };
allow NetworkManager_t self:process { ptrace setcap getsched signal_perms };
-allow NetworkManager_t self:fifo_file rw_file_perms;
+allow NetworkManager_t self:fifo_file rw_fifo_file_perms;
allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms };
allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms;
allow NetworkManager_t self:netlink_route_socket create_netlink_socket_perms;
@@ -31,9 +31,9 @@ allow NetworkManager_t self:tcp_socket create_stream_socket_perms;
allow NetworkManager_t self:udp_socket create_socket_perms;
allow NetworkManager_t self:packet_socket create_socket_perms;
-allow NetworkManager_t NetworkManager_var_run_t:file create_file_perms;
-allow NetworkManager_t NetworkManager_var_run_t:dir create_dir_perms;
-allow NetworkManager_t NetworkManager_var_run_t:sock_file create_file_perms;
+manage_dirs_pattern(NetworkManager_t,NetworkManager_var_run_t,NetworkManager_var_run_t)
+manage_files_pattern(NetworkManager_t,NetworkManager_var_run_t,NetworkManager_var_run_t)
+manage_sock_files_pattern(NetworkManager_t,NetworkManager_var_run_t,NetworkManager_var_run_t)
files_pid_filetrans(NetworkManager_t,NetworkManager_var_run_t, { dir file sock_file })
kernel_read_system_state(NetworkManager_t)
diff --git a/policy/modules/services/nis.if b/policy/modules/services/nis.if
index 1a83ef45..df40154a 100644
--- a/policy/modules/services/nis.if
+++ b/policy/modules/services/nis.if
@@ -33,9 +33,9 @@ interface(`nis_use_ypbind_uncond',`
allow $1 self:tcp_socket create_stream_socket_perms;
allow $1 self:udp_socket create_socket_perms;
- allow $1 var_yp_t:dir r_dir_perms;
+ allow $1 var_yp_t:dir list_dir_perms;
allow $1 var_yp_t:lnk_file { getattr read };
- allow $1 var_yp_t:file r_file_perms;
+ allow $1 var_yp_t:file read_file_perms;
corenet_non_ipsec_sendrecv($1)
corenet_tcp_sendrecv_all_if($1)
@@ -102,12 +102,7 @@ interface(`nis_domtrans_ypbind',`
')
corecmd_search_bin($1)
- domain_auto_trans($1,ypbind_exec_t,ypbind_t)
-
- allow $1 ypbind_t:fd use;
- allow ypbind_t $1:fd use;
- allow ypbind_t $1:fifo_file rw_file_perms;
- allow ypbind_t $1:process sigchld;
+ domtrans_pattern($1,ypbind_exec_t,ypbind_t)
')
########################################
@@ -144,7 +139,7 @@ interface(`nis_list_var_yp',`
')
files_search_var($1)
- allow $1 var_yp_t:dir r_dir_perms;
+ allow $1 var_yp_t:dir list_dir_perms;
')
########################################
@@ -191,7 +186,7 @@ interface(`nis_read_ypbind_pid',`
')
files_search_pids($1)
- allow $1 ypbind_var_run_t:file r_file_perms;
+ allow $1 ypbind_var_run_t:file read_file_perms;
')
########################################
@@ -249,9 +244,5 @@ interface(`nis_domtrans_ypxfr',`
corecmd_search_bin($1)
corecmd_search_sbin($1)
- domain_auto_trans($1,ypxfr_exec_t,ypxfr_t)
-
- allow ypxfr_t $1:fd use;
- allow ypxfr_t $1:fifo_file rw_file_perms;
- allow ypxfr_t $1:process sigchld;
+ domtrans_pattern($1,ypxfr_exec_t,ypxfr_t)
')
diff --git a/policy/modules/services/nis.te b/policy/modules/services/nis.te
index ac504f91..30b1523f 100644
--- a/policy/modules/services/nis.te
+++ b/policy/modules/services/nis.te
@@ -49,23 +49,21 @@ init_daemon_domain(ypxfr_t,ypxfr_exec_t)
# ypbind local policy
dontaudit ypbind_t self:capability { net_admin sys_tty_config };
-allow ypbind_t self:fifo_file rw_file_perms;
+allow ypbind_t self:fifo_file rw_fifo_file_perms;
allow ypbind_t self:process signal_perms;
allow ypbind_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms;
allow ypbind_t self:netlink_route_socket r_netlink_socket_perms;
allow ypbind_t self:tcp_socket create_stream_socket_perms;
allow ypbind_t self:udp_socket create_socket_perms;
-allow ypbind_t ypbind_tmp_t:dir create_dir_perms;
-allow ypbind_t ypbind_tmp_t:file create_file_perms;
+manage_dirs_pattern(ypbind_t,ypbind_tmp_t,ypbind_tmp_t)
+manage_files_pattern(ypbind_t,ypbind_tmp_t,ypbind_tmp_t)
files_tmp_filetrans(ypbind_t, ypbind_tmp_t, { file dir })
-allow ypbind_t ypbind_var_run_t:file manage_file_perms;
-allow ypbind_t ypbind_var_run_t:dir rw_dir_perms;
+manage_files_pattern(ypbind_t,ypbind_var_run_t,ypbind_var_run_t)
files_pid_filetrans(ypbind_t,ypbind_var_run_t,file)
-allow ypbind_t var_yp_t:dir rw_dir_perms;
-allow ypbind_t var_yp_t:file create_file_perms;
+manage_files_pattern(ypbind_t,var_yp_t,var_yp_t)
kernel_read_kernel_sysctls(ypbind_t)
kernel_list_proc(ypbind_t)
@@ -140,7 +138,7 @@ optional_policy(`
#
dontaudit yppasswdd_t self:capability sys_tty_config;
-allow yppasswdd_t self:fifo_file rw_file_perms;
+allow yppasswdd_t self:fifo_file rw_fifo_file_perms;
allow yppasswdd_t self:process { setfscreate signal_perms };
allow yppasswdd_t self:unix_dgram_socket create_socket_perms;
allow yppasswdd_t self:unix_stream_socket create_stream_socket_perms;
@@ -148,13 +146,11 @@ allow yppasswdd_t self:netlink_route_socket r_netlink_socket_perms;
allow yppasswdd_t self:tcp_socket create_stream_socket_perms;
allow yppasswdd_t self:udp_socket create_socket_perms;
-allow yppasswdd_t yppasswdd_var_run_t:file create_file_perms;
-allow yppasswdd_t yppasswdd_var_run_t:dir rw_dir_perms;
+manage_files_pattern(yppasswdd_t,yppasswdd_var_run_t,yppasswdd_var_run_t)
files_pid_filetrans(yppasswdd_t,yppasswdd_var_run_t,file)
-allow yppasswdd_t var_yp_t:dir rw_dir_perms;
-allow yppasswdd_t var_yp_t:file create_file_perms;
-allow yppasswdd_t var_yp_t:lnk_file create_lnk_perms;
+manage_files_pattern(yppasswdd_t,var_yp_t,var_yp_t)
+manage_lnk_files_pattern(yppasswdd_t,var_yp_t,var_yp_t)
kernel_list_proc(yppasswdd_t)
kernel_read_proc_symlinks(yppasswdd_t)
@@ -239,7 +235,7 @@ optional_policy(`
#
dontaudit ypserv_t self:capability sys_tty_config;
-allow ypserv_t self:fifo_file rw_file_perms;
+allow ypserv_t self:fifo_file rw_fifo_file_perms;
allow ypserv_t self:process signal_perms;
allow ypserv_t self:unix_dgram_socket create_socket_perms;
allow ypserv_t self:unix_stream_socket create_stream_socket_perms;
@@ -247,17 +243,15 @@ allow ypserv_t self:netlink_route_socket r_netlink_socket_perms;
allow ypserv_t self:tcp_socket connected_stream_socket_perms;
allow ypserv_t self:udp_socket create_socket_perms;
-allow ypserv_t var_yp_t:dir rw_dir_perms;
-allow ypserv_t var_yp_t:file create_file_perms;
+manage_files_pattern(ypserv_t,var_yp_t,var_yp_t)
allow ypserv_t ypserv_conf_t:file { getattr read };
-allow ypserv_t ypserv_tmp_t:dir create_dir_perms;
-allow ypserv_t ypserv_tmp_t:file create_file_perms;
+manage_dirs_pattern(ypserv_t,ypserv_tmp_t,ypserv_tmp_t)
+manage_files_pattern(ypserv_t,ypserv_tmp_t,ypserv_tmp_t)
files_tmp_filetrans(ypserv_t, ypserv_tmp_t, { file dir })
-allow ypserv_t ypserv_var_run_t:dir rw_dir_perms;
-allow ypserv_t ypserv_var_run_t:file manage_file_perms;
+manage_files_pattern(ypserv_t,ypserv_var_run_t,ypserv_var_run_t)
files_pid_filetrans(ypserv_t,ypserv_var_run_t,file)
kernel_read_kernel_sysctls(ypserv_t)
@@ -331,12 +325,11 @@ optional_policy(`
allow ypxfr_t self:unix_stream_socket create_stream_socket_perms;
-allow ypxfr_t var_yp_t:dir search_dir_perms;
-allow ypxfr_t var_yp_t:file read_file_perms;
-
allow ypxfr_t ypserv_t:tcp_socket { read write };
allow ypxfr_t ypserv_t:udp_socket { read write };
+read_files_pattern(ypxfr_t,var_yp_t,var_yp_t)
+
corenet_non_ipsec_sendrecv(ypxfr_t)
corenet_tcp_sendrecv_all_if(ypxfr_t)
corenet_udp_sendrecv_all_if(ypxfr_t)
diff --git a/policy/modules/services/nscd.if b/policy/modules/services/nscd.if
index f72739df..edeb2175 100644
--- a/policy/modules/services/nscd.if
+++ b/policy/modules/services/nscd.if
@@ -34,12 +34,7 @@ interface(`nscd_domtrans',`
')
corecmd_search_sbin($1)
- domain_auto_trans($1,nscd_exec_t,nscd_t)
-
- allow $1 nscd_t:fd use;
- allow nscd_t $1:fd use;
- allow nscd_t $1:fifo_file rw_file_perms;
- allow nscd_t $1:process sigchld;
+ domtrans_pattern($1,nscd_exec_t,nscd_t)
')
########################################
@@ -80,14 +75,12 @@ interface(`nscd_socket_use',`
allow $1 self:unix_stream_socket create_socket_perms;
- allow $1 nscd_t:unix_stream_socket connectto;
allow $1 nscd_t:nscd { getpwd getgrp gethost };
dontaudit $1 nscd_t:fd use;
dontaudit $1 nscd_t:nscd { shmempwd shmemgrp shmemhost };
files_search_pids($1)
- allow $1 nscd_var_run_t:dir r_dir_perms;
- allow $1 nscd_var_run_t:sock_file rw_file_perms;
+ stream_connect_pattern($1,nscd_var_run_t,nscd_var_run_t,nscd_t)
dontaudit $1 nscd_var_run_t:file { getattr read };
')
@@ -108,7 +101,7 @@ interface(`nscd_shm_use',`
class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost };
')
- allow $1 nscd_var_run_t:dir r_dir_perms;
+ allow $1 nscd_var_run_t:dir list_dir_perms;
allow $1 nscd_t:nscd { shmempwd shmemgrp shmemhost };
# Receive fd from nscd and map the backing file with read access.
@@ -159,8 +152,7 @@ interface(`nscd_read_pid',`
')
files_search_pids($1)
- allow $1 nscd_var_run_t:dir search;
- allow $1 nscd_var_run_t:file { getattr read };
+ read_files_pattern($1,nscd_var_run_t,nscd_var_run_t)
')
########################################
diff --git a/policy/modules/services/nscd.te b/policy/modules/services/nscd.te
index 3ec3240c..3a4925b4 100644
--- a/policy/modules/services/nscd.te
+++ b/policy/modules/services/nscd.te
@@ -44,12 +44,11 @@ allow nscd_t self:udp_socket create_socket_perms;
# Transition occurs to nscd_t due to direct_sysadm_daemon.
allow nscd_t self:nscd { admin getstat };
-allow nscd_t nscd_log_t:file create_file_perms;
+allow nscd_t nscd_log_t:file manage_file_perms;
logging_log_filetrans(nscd_t,nscd_log_t,file)
-allow nscd_t nscd_var_run_t:file create_file_perms;
-allow nscd_t nscd_var_run_t:sock_file create_file_perms;
-allow nscd_t nscd_var_run_t:dir rw_dir_perms;
+manage_files_pattern(nscd_t,nscd_var_run_t,nscd_var_run_t)
+manage_sock_files_pattern(nscd_t,nscd_var_run_t,nscd_var_run_t)
files_pid_filetrans(nscd_t,nscd_var_run_t,{ file sock_file })
kernel_read_kernel_sysctls(nscd_t)
diff --git a/policy/modules/services/nsd.te b/policy/modules/services/nsd.te
index c4dd8cd8..03af5e4e 100644
--- a/policy/modules/services/nsd.te
+++ b/policy/modules/services/nsd.te
@@ -41,21 +41,19 @@ allow nsd_t self:process signal_perms;
allow nsd_t self:tcp_socket create_stream_socket_perms;
allow nsd_t self:udp_socket create_socket_perms;
-allow nsd_t nsd_conf_t:dir r_dir_perms;
-allow nsd_t nsd_conf_t:file r_file_perms;
-allow nsd_t nsd_conf_t:lnk_file { getattr read };
+allow nsd_t nsd_conf_t:dir list_dir_perms;
+read_files_pattern(nsd_t,nsd_conf_t,nsd_conf_t)
+read_lnk_files_pattern(nsd_t,nsd_conf_t,nsd_conf_t)
allow nsd_t nsd_db_t:file manage_file_perms;
-type_transition nsd_t nsd_zone_t:file nsd_db_t;
-allow nsd_t nsd_zone_t:dir rw_dir_perms;
+filetrans_pattern(nsd_t,nsd_zone_t,nsd_db_t,file)
-allow nsd_t nsd_var_run_t:file create_file_perms;
-allow nsd_t nsd_var_run_t:dir rw_dir_perms;
+manage_files_pattern(nsd_t,nsd_var_run_t,nsd_var_run_t)
files_pid_filetrans(nsd_t,nsd_var_run_t,file)
-allow nsd_t nsd_zone_t:dir r_dir_perms;
-allow nsd_t nsd_zone_t:file r_file_perms;
-allow nsd_t nsd_zone_t:lnk_file { getattr read };
+allow nsd_t nsd_zone_t:dir list_dir_perms;
+read_files_pattern(nsd_t,nsd_zone_t,nsd_zone_t)
+read_lnk_files_pattern(nsd_t,nsd_zone_t,nsd_zone_t)
can_exec(nsd_t,nsd_exec_t)
@@ -131,26 +129,22 @@ optional_policy(`
allow nsd_crond_t self:capability { dac_override kill };
dontaudit nsd_crond_t self:capability sys_nice;
allow nsd_crond_t self:process { setsched signal_perms };
-allow nsd_crond_t self:fifo_file rw_file_perms;
+allow nsd_crond_t self:fifo_file rw_fifo_file_perms;
allow nsd_crond_t self:tcp_socket create_socket_perms;
allow nsd_crond_t self:udp_socket create_socket_perms;
allow nsd_crond_t nsd_conf_t:file { getattr read ioctl };
allow nsd_crond_t nsd_db_t:file manage_file_perms;
-type_transition nsd_crond_t nsd_zone_t:file nsd_db_t;
-allow nsd_crond_t nsd_zone_t:dir rw_dir_perms;
+filetrans_pattern(nsd_crond_t,nsd_zone_t,nsd_db_t,file)
files_search_var_lib(nsd_crond_t)
allow nsd_crond_t nsd_t:process signal;
-allow nsd_crond_t nsd_t:dir { search getattr read };
-allow nsd_crond_t nsd_t:{ file lnk_file } { read getattr };
-allow nsd_crond_t nsd_t:process getattr;
-allow nsd_crond_t nsd_zone_t:file manage_file_perms;
-allow nsd_crond_t nsd_zone_t:dir rw_dir_perms;
-type_transition nsd_crond_t nsd_conf_t:file nsd_zone_t;
-allow nsd_crond_t nsd_conf_t:dir rw_dir_perms;
+ps_process_pattern(nsd_crond_t,nsd_t)
+
+manage_files_pattern(nsd_crond_t,nsd_zone_t,nsd_zone_t)
+filetrans_pattern(nsd_crond_t,nsd_conf_t,nsd_zone_t,file)
can_exec(nsd_crond_t,nsd_exec_t)
diff --git a/policy/modules/services/ntop.te b/policy/modules/services/ntop.te
index 7a2b1245..4c45ebe5 100644
--- a/policy/modules/services/ntop.te
+++ b/policy/modules/services/ntop.te
@@ -38,23 +38,22 @@ allow ntop_t self:tcp_socket create_stream_socket_perms;
allow ntop_t self:udp_socket create_socket_perms;
allow ntop_t self:packet_socket create_socket_perms;
-allow ntop_t ntop_etc_t:file r_file_perms;
-allow ntop_t ntop_etc_t:dir r_dir_perms;
-allow ntop_t ntop_etc_t:lnk_file { getattr read };
+allow ntop_t ntop_etc_t:dir list_dir_perms;
+read_files_pattern(ntop_t,ntop_etc_t,ntop_etc_t)
+read_lnk_files_pattern(ntop_t,ntop_etc_t,ntop_etc_t)
-allow ntop_t ntop_http_content_t:file r_file_perms;
-allow ntop_t ntop_http_content_t:dir r_dir_perms;
+allow ntop_t ntop_http_content_t:dir list_dir_perms;
+read_files_pattern(ntop_t,ntop_http_content_t,ntop_http_content_t)
-allow ntop_t ntop_tmp_t:dir create_dir_perms;
-allow ntop_t ntop_tmp_t:file create_file_perms;
+manage_dirs_pattern(ntop_t,ntop_tmp_t,ntop_tmp_t)
+manage_files_pattern(ntop_t,ntop_tmp_t,ntop_tmp_t)
files_tmp_filetrans(ntop_t, ntop_tmp_t, { file dir })
-allow ntop_t ntop_var_lib_t:file create_file_perms;
-allow ntop_t ntop_var_lib_t:dir { create rw_dir_perms };
+create_dirs_pattern(ntop_t,ntop_var_lib_t,ntop_var_lib_t)
+manage_files_pattern(ntop_t,ntop_var_lib_t,ntop_var_lib_t)
files_var_lib_filetrans(ntop_t,ntop_var_lib_t,file)
-allow ntop_t ntop_var_run_t:file manage_file_perms;
-allow ntop_t ntop_var_run_t:dir rw_dir_perms;
+manage_files_pattern(ntop_t,ntop_var_run_t,ntop_var_run_t)
files_pid_filetrans(ntop_t,ntop_var_run_t,file)
kernel_read_network_state(ntop_t)
diff --git a/policy/modules/services/ntp.if b/policy/modules/services/ntp.if
index bbae8f8e..87521845 100644
--- a/policy/modules/services/ntp.if
+++ b/policy/modules/services/ntp.if
@@ -32,12 +32,7 @@ interface(`ntp_domtrans',`
')
corecmd_search_sbin($1)
- domain_auto_trans($1,ntpd_exec_t,ntpd_t)
-
- allow $1 ntpd_t:fd use;
- allow ntpd_t $1:fd use;
- allow ntpd_t $1:fifo_file rw_file_perms;
- allow ntpd_t $1:process sigchld;
+ domtrans_pattern($1,ntpd_exec_t,ntpd_t)
')
########################################
@@ -56,10 +51,5 @@ interface(`ntp_domtrans_ntpdate',`
')
corecmd_search_sbin($1)
- domain_auto_trans($1,ntpdate_exec_t,ntpd_t)
-
- allow $1 ntpd_t:fd use;
- allow ntpd_t $1:fd use;
- allow ntpd_t $1:fifo_file rw_file_perms;
- allow ntpd_t $1:process sigchld;
+ domtrans_pattern($1,ntpdate_exec_t,ntpd_t)
')
diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te
index 5c2ded01..251fe71b 100644
--- a/policy/modules/services/ntp.te
+++ b/policy/modules/services/ntp.te
@@ -41,22 +41,20 @@ allow ntpd_t self:unix_stream_socket create_socket_perms;
allow ntpd_t self:tcp_socket create_stream_socket_perms;
allow ntpd_t self:udp_socket create_socket_perms;
-allow ntpd_t ntp_drift_t:dir rw_dir_perms;
-allow ntpd_t ntp_drift_t:file create_file_perms;
+manage_files_pattern(ntpd_t,ntp_drift_t,ntp_drift_t)
can_exec(ntpd_t,ntpd_exec_t)
-allow ntpd_t ntpd_log_t:file create_file_perms;
-allow ntpd_t ntpd_log_t:dir { rw_dir_perms setattr };
+allow ntpd_t ntpd_log_t:dir setattr;
+manage_files_pattern(ntpd_t,ntpd_log_t,ntpd_log_t)
logging_log_filetrans(ntpd_t,ntpd_log_t,{ file dir })
# for some reason it creates a file in /tmp
-allow ntpd_t ntpd_tmp_t:dir create_dir_perms;
-allow ntpd_t ntpd_tmp_t:file create_file_perms;
+manage_dirs_pattern(ntpd_t,ntpd_tmp_t,ntpd_tmp_t)
+manage_files_pattern(ntpd_t,ntpd_tmp_t,ntpd_tmp_t)
files_tmp_filetrans(ntpd_t, ntpd_tmp_t, { file dir })
-allow ntpd_t ntpd_var_run_t:file create_file_perms;
-allow ntpd_t ntpd_var_run_t:dir rw_dir_perms;
+manage_files_pattern(ntpd_t,ntpd_var_run_t,ntpd_var_run_t)
files_pid_filetrans(ntpd_t,ntpd_var_run_t,file)
kernel_read_kernel_sysctls(ntpd_t)
diff --git a/policy/modules/services/nx.if b/policy/modules/services/nx.if
index 2287f85d..0e345bea 100644
--- a/policy/modules/services/nx.if
+++ b/policy/modules/services/nx.if
@@ -15,8 +15,5 @@ interface(`nx_spec_domtrans_server',`
type nx_server_t, nx_server_exec_t;
')
- domain_trans($1,nx_server_exec_t,nx_server_t)
- allow nx_server_t $1:fd use;
- allow nx_server_t $1:fifo_file rw_file_perms;
- allow nx_server_t $1:process sigchld;
+ spec_domtrans_pattern($1,nx_server_exec_t,nx_server_t)
')
diff --git a/policy/modules/services/nx.te b/policy/modules/services/nx.te
index 0a0d5920..ff9b491e 100644
--- a/policy/modules/services/nx.te
+++ b/policy/modules/services/nx.te
@@ -34,15 +34,14 @@ allow nx_server_t self:fifo_file { getattr ioctl read write };
allow nx_server_t self:tcp_socket create_socket_perms;
allow nx_server_t self:udp_socket create_socket_perms;
-allow nx_server_t nx_server_devpts_t:chr_file { rw_file_perms setattr };
+allow nx_server_t nx_server_devpts_t:chr_file { rw_chr_file_perms setattr };
term_create_pty(nx_server_t,nx_server_devpts_t)
-allow nx_server_t nx_server_tmp_t:dir manage_dir_perms;
-allow nx_server_t nx_server_tmp_t:file manage_file_perms;
+manage_dirs_pattern(nx_server_t,nx_server_tmp_t,nx_server_tmp_t)
+manage_files_pattern(nx_server_t,nx_server_tmp_t,nx_server_tmp_t)
files_tmp_filetrans(nx_server_t, nx_server_tmp_t, { file dir })
-allow nx_server_t nx_server_var_run_t:file manage_file_perms;
-allow nx_server_t nx_server_var_run_t:dir rw_dir_perms;
+manage_files_pattern(nx_server_t,nx_server_var_run_t,nx_server_var_run_t)
files_pid_filetrans(nx_server_t,nx_server_var_run_t,file)
kernel_read_system_state(nx_server_t)
diff --git a/policy/modules/services/oav.if b/policy/modules/services/oav.if
index 8f28e335..5e083058 100644
--- a/policy/modules/services/oav.if
+++ b/policy/modules/services/oav.if
@@ -16,12 +16,7 @@ interface(`oav_domtrans_update',`
')
corecmd_search_sbin($1)
- domain_auto_trans($1,oav_update_exec_t,oav_update_t)
-
- allow $1 oav_update_t:fd use;
- allow oav_update_t $1:fd use;
- allow oav_update_t $1:fifo_file rw_file_perms;
- allow oav_update_t $1:process sigchld;
+ domtrans_pattern($1,oav_update_exec_t,oav_update_t)
')
########################################
diff --git a/policy/modules/services/oav.te b/policy/modules/services/oav.te
index b16233be..02e9968a 100644
--- a/policy/modules/services/oav.te
+++ b/policy/modules/services/oav.te
@@ -40,13 +40,13 @@ allow oav_update_t self:tcp_socket create_stream_socket_perms;
allow oav_update_t self:udp_socket create_socket_perms;
# Can read /etc/oav-update/* files
-allow oav_update_t oav_update_etc_t:dir r_dir_perms;
-allow oav_update_t oav_update_etc_t:file r_file_perms;
+allow oav_update_t oav_update_etc_t:dir list_dir_perms;
+allow oav_update_t oav_update_etc_t:file read_file_perms;
# Can read /var/lib/oav-update/current
-allow oav_update_t oav_update_var_lib_t:dir manage_dir_perms;
-allow oav_update_t oav_update_var_lib_t:file manage_file_perms;
-allow oav_update_t oav_update_var_lib_t:lnk_file r_file_perms;
+manage_dirs_pattern(oav_update_t,oav_update_var_lib_t,oav_update_var_lib_t)
+manage_files_pattern(oav_update_t,oav_update_var_lib_t,oav_update_var_lib_t)
+read_lnk_files_pattern(oav_update_t,oav_update_var_lib_t,oav_update_var_lib_t)
corecmd_exec_all_executables(oav_update_t)
@@ -86,17 +86,16 @@ allow scannerdaemon_t self:fifo_file { read write };
allow scannerdaemon_t self:tcp_socket create_stream_socket_perms;
allow scannerdaemon_t self:udp_socket create_socket_perms;
-allow scannerdaemon_t oav_update_var_lib_t:dir r_dir_perms;
-allow scannerdaemon_t oav_update_var_lib_t:file r_file_perms;
+allow scannerdaemon_t oav_update_var_lib_t:dir list_dir_perms;
+allow scannerdaemon_t oav_update_var_lib_t:file read_file_perms;
files_search_var_lib(scannerdaemon_t)
-allow scannerdaemon_t scannerdaemon_etc_t:file r_file_perms;
+allow scannerdaemon_t scannerdaemon_etc_t:file read_file_perms;
-allow scannerdaemon_t scannerdaemon_log_t:file create_file_perms;
+allow scannerdaemon_t scannerdaemon_log_t:file manage_file_perms;
logging_log_filetrans(scannerdaemon_t,scannerdaemon_log_t,file)
-allow scannerdaemon_t scannerdaemon_var_run_t:file create_file_perms;
-allow scannerdaemon_t scannerdaemon_var_run_t:dir rw_dir_perms;
+manage_files_pattern(scannerdaemon_t,scannerdaemon_var_run_t,scannerdaemon_var_run_t)
files_pid_filetrans(scannerdaemon_t,scannerdaemon_var_run_t,file)
kernel_read_system_state(scannerdaemon_t)
diff --git a/policy/modules/services/oddjob.if b/policy/modules/services/oddjob.if
index 7696c782..3338e8f1 100644
--- a/policy/modules/services/oddjob.if
+++ b/policy/modules/services/oddjob.if
@@ -19,10 +19,7 @@ interface(`oddjob_domtrans',`
type oddjob_t, oddjob_exec_t;
')
- domain_auto_trans($1,oddjob_exec_t,oddjob_t)
- allow oddjob_t $1:fd use;
- allow oddjob_t $1:fifo_file rw_file_perms;
- allow oddjob_t $1:process sigchld;
+ domtrans_pattern($1,oddjob_exec_t,oddjob_t)
')
########################################
@@ -46,13 +43,9 @@ interface(`oddjob_system_entry',`
type oddjob_t;
')
- domain_auto_trans(oddjob_t, $2, $1)
- allow $1 oddjob_t:fd use;
- allow $1 oddjob_t:fifo_file rw_file_perms;
- allow $1 oddjob_t:process sigchld;
+ domtrans_pattern(oddjob_t, $2, $1)
')
-
########################################
##
## Send and receive messages from
@@ -89,8 +82,5 @@ interface(`oddjob_domtrans_mkhomedir',`
type oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t;
')
- domain_auto_trans($1,oddjob_mkhomedir_exec_t,oddjob_mkhomedir_t)
- allow oddjob_mkhomedir_t $1:fd use;
- allow oddjob_mkhomedir_t $1:fifo_file rw_file_perms;
- allow oddjob_mkhomedir_t $1:process sigchld;
+ domtrans_pattern($1,oddjob_mkhomedir_exec_t,oddjob_mkhomedir_t)
')
diff --git a/policy/modules/services/oddjob.te b/policy/modules/services/oddjob.te
index 4b08b3f4..23d6794e 100644
--- a/policy/modules/services/oddjob.te
+++ b/policy/modules/services/oddjob.te
@@ -32,9 +32,8 @@ allow oddjob_t self:process { setexec signal };
allow oddjob_t self:fifo_file { read write };
allow oddjob_t self:unix_stream_socket create_stream_socket_perms;
-allow oddjob_t oddjob_var_run_t:file manage_file_perms;
-allow oddjob_t oddjob_var_run_t:sock_file manage_file_perms;
-allow oddjob_t oddjob_var_run_t:dir rw_dir_perms;
+manage_files_pattern(oddjob_t,oddjob_var_run_t,oddjob_var_run_t)
+manage_sock_files_pattern(oddjob_t,oddjob_var_run_t,oddjob_var_run_t)
files_pid_filetrans(oddjob_t,oddjob_var_run_t, { file sock_file })
kernel_read_system_state(oddjob_t)
@@ -96,4 +95,3 @@ userdom_manage_generic_user_home_content_files(oddjob_mkhomedir_t)
userdom_manage_generic_user_home_dirs(oddjob_mkhomedir_t)
userdom_manage_staff_home_dirs(oddjob_mkhomedir_t)
userdom_generic_user_home_dir_filetrans_generic_user_home_content(oddjob_mkhomedir_t,notdevfile_class_set)
-
diff --git a/policy/modules/services/openca.if b/policy/modules/services/openca.if
index d84d2edd..0d5402c9 100644
--- a/policy/modules/services/openca.if
+++ b/policy/modules/services/openca.if
@@ -16,13 +16,9 @@ interface(`openca_domtrans',`
type openca_ca_t, openca_ca_exec_t, openca_usr_share_t;
')
- domain_auto_trans($1,openca_ca_exec_t,openca_ca_t)
+ domtrans_pattern($1,openca_ca_exec_t,openca_ca_t)
allow httpd_t openca_usr_share_t:dir search_dir_perms;
files_search_usr(httpd_t)
-
- allow openca_ca_t $1:fd use;
- allow openca_ca_t $1:fifo_file rw_file_perms;
- allow openca_ca_t $1:process sigchld;
')
########################################
diff --git a/policy/modules/services/openca.te b/policy/modules/services/openca.te
index 04fc293a..c776b2cb 100644
--- a/policy/modules/services/openca.te
+++ b/policy/modules/services/openca.te
@@ -46,25 +46,25 @@ files_type(openca_var_lib_keys_t)
#
# Allow access to other files under /etc/openca
-allow openca_ca_t openca_etc_t:file r_file_perms;
-allow openca_ca_t openca_etc_t:dir r_dir_perms;
+allow openca_ca_t openca_etc_t:file read_file_perms;
+allow openca_ca_t openca_etc_t:dir list_dir_perms;
# Allow access to writeable files under /etc/openca
-allow openca_ca_t openca_etc_writeable_t:file manage_file_perms;
-allow openca_ca_t openca_etc_writeable_t:dir manage_dir_perms;
+manage_dirs_pattern(openca_ca_t,openca_etc_writeable_t,openca_etc_writeable_t)
+manage_files_pattern(openca_ca_t,openca_etc_writeable_t,openca_etc_writeable_t)
# Allow access to other /var/lib/openca files
-allow openca_ca_t openca_var_lib_t:file manage_file_perms;
-allow openca_ca_t openca_var_lib_t:dir manage_dir_perms;
+manage_dirs_pattern(openca_ca_t,openca_var_lib_t,openca_var_lib_t)
+manage_files_pattern(openca_ca_t,openca_var_lib_t,openca_var_lib_t)
# Allow access to private CA key
-allow openca_ca_t openca_var_lib_keys_t:file manage_file_perms;
-allow openca_ca_t openca_var_lib_keys_t:dir manage_dir_perms;
+manage_dirs_pattern(openca_ca_t,openca_var_lib_keys_t,openca_var_lib_keys_t)
+manage_files_pattern(openca_ca_t,openca_var_lib_keys_t,openca_var_lib_keys_t)
# Allow access to other /usr/share/openca files
-allow openca_ca_t openca_usr_share_t:file r_file_perms;
-allow openca_ca_t openca_usr_share_t:lnk_file r_file_perms;
-allow openca_ca_t openca_usr_share_t:dir r_dir_perms;
+read_files_pattern(openca_ca_t,openca_usr_share_t,openca_usr_share_t)
+read_lnk_files_pattern(openca_ca_t,openca_usr_share_t,openca_usr_share_t)
+allow openca_ca_t openca_usr_share_t:dir list_dir_perms;
# the perl executable will be able to run a perl script
corecmd_exec_bin(openca_ca_t)
diff --git a/policy/modules/services/openct.te b/policy/modules/services/openct.te
index 3e55f55b..b379ed13 100644
--- a/policy/modules/services/openct.te
+++ b/policy/modules/services/openct.te
@@ -21,8 +21,7 @@ files_pid_file(openct_var_run_t)
dontaudit openct_t self:capability sys_tty_config;
allow openct_t self:process signal_perms;
-allow openct_t openct_var_run_t:file create_file_perms;
-allow openct_t openct_var_run_t:dir rw_dir_perms;
+manage_files_pattern(openct_t,openct_var_run_t,openct_var_run_t)
files_pid_filetrans(openct_t,openct_var_run_t,file)
kernel_read_kernel_sysctls(openct_t)
diff --git a/policy/modules/services/openvpn.if b/policy/modules/services/openvpn.if
index b21e1ce2..ea6ec751 100644
--- a/policy/modules/services/openvpn.if
+++ b/policy/modules/services/openvpn.if
@@ -18,7 +18,7 @@ interface(`openvpn_read_config',`
')
files_search_etc($1)
- allow $1 openvpn_etc_t:dir r_dir_perms;
- allow $1 openvpn_etc_t:file r_file_perms;
- allow $1 openvpn_etc_t:lnk_file { getattr read };
+ allow $1 openvpn_etc_t:dir list_dir_perms;
+ read_files_pattern($1,openvpn_etc_t,openvpn_etc_t)
+ read_lnk_files_pattern($1,openvpn_etc_t,openvpn_etc_t)
')
diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te
index 9a499a5b..5f0e9979 100644
--- a/policy/modules/services/openvpn.te
+++ b/policy/modules/services/openvpn.te
@@ -35,14 +35,14 @@ allow openvpn_t self:udp_socket create_socket_perms;
allow openvpn_t self:tcp_socket create_socket_perms;
allow openvpn_t self:netlink_route_socket rw_netlink_socket_perms;
-allow openvpn_t openvpn_etc_t:dir r_dir_perms;
-allow openvpn_t openvpn_etc_t:file r_file_perms;
-allow openvpn_t openvpn_etc_t:lnk_file { getattr read };
+allow openvpn_t openvpn_etc_t:dir list_dir_perms;
+read_files_pattern(openvpn_t,openvpn_etc_t,openvpn_etc_t)
+read_lnk_files_pattern(openvpn_t,openvpn_etc_t,openvpn_etc_t)
-allow openvpn_t openvpn_var_log_t:file create_file_perms;
+allow openvpn_t openvpn_var_log_t:file manage_file_perms;
logging_log_filetrans(openvpn_t,openvpn_var_log_t,file)
-allow openvpn_t openvpn_var_run_t:file create_file_perms;
+allow openvpn_t openvpn_var_run_t:file manage_file_perms;
files_pid_filetrans(openvpn_t, openvpn_var_run_t, file)
kernel_read_kernel_sysctls(openvpn_t)
diff --git a/policy/modules/services/pegasus.te b/policy/modules/services/pegasus.te
index d3389473..d849ae62 100644
--- a/policy/modules/services/pegasus.te
+++ b/policy/modules/services/pegasus.te
@@ -30,37 +30,36 @@ files_pid_file(pegasus_var_run_t)
# Local policy
#
-allow pegasus_t self:capability { chown sys_nice setuid setgid dac_override net_bind_service audit_write };
+allow pegasus_t self:capability { chown sys_nice setuid setgid dac_override net_bind_service };
dontaudit pegasus_t self:capability sys_tty_config;
allow pegasus_t self:process signal;
-allow pegasus_t self:fifo_file rw_file_perms;
+allow pegasus_t self:fifo_file rw_fifo_file_perms;
allow pegasus_t self:unix_dgram_socket create_socket_perms;
allow pegasus_t self:unix_stream_socket create_stream_socket_perms;
-allow pegasus_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
allow pegasus_t self:tcp_socket create_stream_socket_perms;
-allow pegasus_t pegasus_conf_t:dir rw_dir_perms;
-allow pegasus_t pegasus_conf_t:file { r_file_perms link unlink };
-allow pegasus_t pegasus_conf_t:lnk_file r_file_perms;
+send_audit_msgs_pattern(pegasus_t)
-allow pegasus_t pegasus_data_t:dir rw_dir_perms;
-allow pegasus_t pegasus_data_t:file create_file_perms;
-allow pegasus_t pegasus_data_t:lnk_file create_lnk_perms;
-type_transition pegasus_t pegasus_conf_t:{ file dir } pegasus_data_t;
+allow pegasus_t pegasus_conf_t:dir rw_dir_perms;
+allow pegasus_t pegasus_conf_t:file { read_file_perms link unlink };
+allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
+
+manage_files_pattern(pegasus_t,pegasus_data_t,pegasus_data_t)
+manage_lnk_files_pattern(pegasus_t,pegasus_data_t,pegasus_data_t)
+filetrans_pattern(pegasus_t,pegasus_conf_t,pegasus_data_t,{ file dir })
can_exec(pegasus_t,pegasus_exec_t)
-allow pegasus_t pegasus_mof_t:dir r_dir_perms;
-allow pegasus_t pegasus_mof_t:file r_file_perms;
-allow pegasus_t pegasus_mof_t:lnk_file { getattr read };
+allow pegasus_t pegasus_mof_t:dir list_dir_perms;
+read_files_pattern(pegasus_t,pegasus_mof_t,pegasus_mof_t)
+read_lnk_files_pattern(pegasus_t,pegasus_mof_t,pegasus_mof_t)
-allow pegasus_t pegasus_tmp_t:dir create_dir_perms;
-allow pegasus_t pegasus_tmp_t:file create_file_perms;
+manage_dirs_pattern(pegasus_t,pegasus_tmp_t,pegasus_tmp_t)
+manage_files_pattern(pegasus_t,pegasus_tmp_t,pegasus_tmp_t)
files_tmp_filetrans(pegasus_t, pegasus_tmp_t, { file dir })
-allow pegasus_t pegasus_var_run_t:file create_file_perms;
allow pegasus_t pegasus_var_run_t:sock_file { create setattr unlink };
-allow pegasus_t pegasus_var_run_t:dir rw_dir_perms;
+manage_files_pattern(pegasus_t,pegasus_var_run_t,pegasus_var_run_t)
files_pid_filetrans(pegasus_t,pegasus_var_run_t,file)
kernel_read_kernel_sysctls(pegasus_t)
diff --git a/policy/modules/services/perdition.te b/policy/modules/services/perdition.te
index 876bbfde..f02f6588 100644
--- a/policy/modules/services/perdition.te
+++ b/policy/modules/services/perdition.te
@@ -30,8 +30,7 @@ allow perdition_t self:udp_socket create_socket_perms;
allow perdition_t perdition_etc_t:file { getattr read };
files_search_etc(perdition_t)
-allow perdition_t perdition_var_run_t:file create_file_perms;
-allow perdition_t perdition_var_run_t:dir rw_dir_perms;
+manage_files_pattern(perdition_t,perdition_var_run_t,perdition_var_run_t)
files_pid_filetrans(perdition_t,perdition_var_run_t,file)
kernel_read_kernel_sysctls(perdition_t)
diff --git a/policy/modules/services/portmap.if b/policy/modules/services/portmap.if
index 5cc32e7d..bcc66e9a 100644
--- a/policy/modules/services/portmap.if
+++ b/policy/modules/services/portmap.if
@@ -16,12 +16,7 @@ interface(`portmap_domtrans_helper',`
')
corecmd_search_bin($1)
- domain_auto_trans($1,portmap_helper_exec_t,portmap_helper_t)
-
- allow $1 portmap_helper_t:fd use;
- allow portmap_helper_t $1:fd use;
- allow portmap_helper_t $1:fifo_file rw_file_perms;
- allow portmap_helper_t $1:process sigchld;
+ domtrans_pattern($1,portmap_helper_exec_t,portmap_helper_t)
')
########################################
diff --git a/policy/modules/services/portmap.te b/policy/modules/services/portmap.te
index 376c90ae..eb80fe13 100644
--- a/policy/modules/services/portmap.te
+++ b/policy/modules/services/portmap.te
@@ -34,12 +34,11 @@ allow portmap_t self:unix_stream_socket create_stream_socket_perms;
allow portmap_t self:tcp_socket create_stream_socket_perms;
allow portmap_t self:udp_socket create_socket_perms;
-allow portmap_t portmap_tmp_t:dir create_dir_perms;
-allow portmap_t portmap_tmp_t:file create_file_perms;
+manage_dirs_pattern(portmap_t,portmap_tmp_t,portmap_tmp_t)
+manage_files_pattern(portmap_t,portmap_tmp_t,portmap_tmp_t)
files_tmp_filetrans(portmap_t, portmap_tmp_t, { file dir })
-allow portmap_t portmap_var_run_t:file create_file_perms;
-allow portmap_t portmap_var_run_t:dir rw_dir_perms;
+manage_files_pattern(portmap_t,portmap_var_run_t,portmap_var_run_t)
files_pid_filetrans(portmap_t,portmap_var_run_t,file)
kernel_read_kernel_sysctls(portmap_t)
@@ -126,7 +125,7 @@ allow portmap_helper_t self:netlink_route_socket r_netlink_socket_perms;
allow portmap_helper_t self:tcp_socket create_stream_socket_perms;
allow portmap_helper_t self:udp_socket create_socket_perms;
-allow portmap_helper_t portmap_var_run_t:file create_file_perms;
+allow portmap_helper_t portmap_var_run_t:file manage_file_perms;
files_pid_filetrans(portmap_helper_t,portmap_var_run_t,file)
corenet_tcp_sendrecv_all_if(portmap_helper_t)
diff --git a/policy/modules/services/portslave.if b/policy/modules/services/portslave.if
index 410cdb13..a55ca533 100644
--- a/policy/modules/services/portslave.if
+++ b/policy/modules/services/portslave.if
@@ -15,10 +15,5 @@ interface(`portslave_domtrans',`
type portslave_t, portslave_exec_t;
')
- domain_auto_trans($1,portslave_exec_t,portslave_t)
-
- allow $1 portslave_t:fd use;
- allow portslave_t $1:fd use;
- allow portslave_t $1:fifo_file rw_file_perms;
- allow portslave_t $1:process sigchld;
+ domtrans_pattern($1,portslave_exec_t,portslave_t)
')
diff --git a/policy/modules/services/portslave.te b/policy/modules/services/portslave.te
index 6dcab880..73118a64 100644
--- a/policy/modules/services/portslave.te
+++ b/policy/modules/services/portslave.te
@@ -30,7 +30,7 @@ dontaudit portslave_t self:capability sys_admin;
allow portslave_t self:process signal_perms;
allow portslave_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow portslave_t self:fd use;
-allow portslave_t self:fifo_file rw_file_perms;
+allow portslave_t self:fifo_file rw_fifo_file_perms;
allow portslave_t self:unix_dgram_socket create_socket_perms;
allow portslave_t self:unix_stream_socket create_stream_socket_perms;
allow portslave_t self:unix_dgram_socket sendto;
@@ -42,11 +42,11 @@ allow portslave_t self:msg { send receive };
allow portslave_t self:tcp_socket create_stream_socket_perms;
allow portslave_t self:udp_socket create_socket_perms;
-allow portslave_t portslave_etc_t:dir r_dir_perms;
-allow portslave_t portslave_etc_t:file r_file_perms;
-allow portslave_t portslave_etc_t:lnk_file { getattr read };
+allow portslave_t portslave_etc_t:dir list_dir_perms;
+read_files_pattern(portslave_t,portslave_etc_t,portslave_etc_t)
+read_lnk_files_pattern(portslave_t,portslave_etc_t,portslave_etc_t)
-allow portslave_t portslave_lock_t:file create_file_perms;
+allow portslave_t portslave_lock_t:file manage_file_perms;
files_lock_filetrans(portslave_t,portslave_lock_t,file)
kernel_read_system_state(portslave_t)
diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if
index ab9632be..6e9dbbc9 100644
--- a/policy/modules/services/postfix.if
+++ b/policy/modules/services/postfix.if
@@ -42,18 +42,16 @@ template(`postfix_domain_template',`
allow postfix_master_t postfix_$1_t:process signal;
- allow postfix_$1_t postfix_etc_t:dir r_dir_perms;
- allow postfix_$1_t postfix_etc_t:file r_file_perms;
+ allow postfix_$1_t postfix_etc_t:dir list_dir_perms;
+ read_files_pattern(postfix_$1_t,postfix_etc_t,postfix_etc_t)
can_exec(postfix_$1_t, postfix_$1_exec_t)
allow postfix_$1_t postfix_exec_t:file rx_file_perms;
- # cjp: ???
- allow postfix_$1_t postfix_exec_t:dir r_dir_perms;
allow postfix_$1_t postfix_master_t:process sigchld;
- allow postfix_$1_t postfix_spool_t:dir r_dir_perms;
+ allow postfix_$1_t postfix_spool_t:dir list_dir_perms;
allow postfix_$1_t postfix_var_run_t:file manage_file_perms;
files_pid_filetrans(postfix_$1_t,postfix_var_run_t,file)
@@ -129,11 +127,7 @@ template(`postfix_server_domain_template',`
allow postfix_$1_t self:tcp_socket create_socket_perms;
allow postfix_$1_t self:udp_socket create_socket_perms;
- domain_auto_trans(postfix_master_t, postfix_$1_exec_t, postfix_$1_t)
- allow postfix_master_t postfix_$1_t:fd use;
- allow postfix_$1_t postfix_master_t:fd use;
- allow postfix_$1_t postfix_master_t:fifo_file rw_file_perms;
- allow postfix_$1_t postfix_master_t:process sigchld;
+ domtrans_pattern(postfix_master_t, postfix_$1_exec_t, postfix_$1_t)
corenet_non_ipsec_sendrecv(postfix_$1_t)
corenet_tcp_sendrecv_all_if(postfix_$1_t)
@@ -176,11 +170,7 @@ template(`postfix_user_domain_template',`
allow postfix_$1_t self:capability dac_override;
- domain_auto_trans(postfix_user_domtrans, postfix_$1_exec_t, postfix_$1_t)
- allow postfix_user_domtrans postfix_$1_t:fd use;
- allow postfix_$1_t postfix_user_domtrans:fd use;
- allow postfix_$1_t postfix_user_domtrans:fifo_file rw_file_perms;
- allow postfix_$1_t postfix_user_domtrans:process sigchld;
+ domtrans_pattern(postfix_user_domtrans, postfix_$1_exec_t, postfix_$1_t)
domain_use_interactive_fds(postfix_$1_t)
')
@@ -263,8 +253,7 @@ interface(`postfix_config_filetrans',`
')
files_search_etc($1)
- allow $1 postfix_etc_t:dir rw_dir_perms;
- type_transition $1 postfix_etc_t:$3 $2;
+ filetrans_pattern($1,postfix_etc_t,$2,$3)
')
########################################
@@ -322,12 +311,7 @@ interface(`postfix_domtrans_map',`
type postfix_map_t, postfix_map_exec_t;
')
- domain_auto_trans($1,postfix_map_exec_t,postfix_map_t)
-
- allow $1 postfix_map_t:fd use;
- allow postfix_map_t $1:fd use;
- allow postfix_map_t $1:fifo_file rw_file_perms;
- allow postfix_map_t $1:process sigchld;
+ domtrans_pattern($1,postfix_map_exec_t,postfix_map_t)
')
########################################
@@ -378,12 +362,7 @@ interface(`postfix_domtrans_master',`
type postfix_master_t, postfix_master_exec_t;
')
- domain_auto_trans($1,postfix_master_exec_t,postfix_master_t)
-
- allow $1 postfix_master_t:fd use;
- allow postfix_master_t $1:fd use;
- allow postfix_master_t $1:fifo_file rw_file_perms;
- allow postfix_master_t $1:process sigchld;
+ domtrans_pattern($1,postfix_master_exec_t,postfix_master_t)
')
########################################
@@ -421,11 +400,7 @@ interface(`postfix_domtrans_smtp',`
type postfix_smtp_t, postfix_smtp_exec_t;
')
- domain_auto_trans($1,postfix_smtp_exec_t,postfix_smtp_t)
-
- allow postfix_smtp_t $1:fd use;
- allow postfix_smtp_t $1:fifo_file rw_file_perms;
- allow postfix_smtp_t $1:process sigchld;
+ domtrans_pattern($1,postfix_smtp_exec_t,postfix_smtp_t)
')
########################################
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
index eb3344a3..d26924e4 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -91,7 +91,7 @@ files_pid_file(postfix_var_run_t)
# chown is to set the correct ownership of queue dirs
allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config };
-allow postfix_master_t self:fifo_file rw_file_perms;
+allow postfix_master_t self:fifo_file rw_fifo_file_perms;
allow postfix_master_t self:tcp_socket create_stream_socket_perms;
allow postfix_master_t self:udp_socket create_socket_perms;
@@ -105,29 +105,31 @@ allow postfix_master_t postfix_postdrop_exec_t:file getattr;
allow postfix_master_t postfix_postqueue_exec_t:file getattr;
-allow postfix_master_t postfix_private_t:dir rw_dir_perms;
-allow postfix_master_t postfix_private_t:sock_file create_file_perms;
-allow postfix_master_t postfix_private_t:fifo_file create_file_perms;
+manage_fifo_files_pattern(postfix_master_t,postfix_private_t,postfix_private_t)
+manage_sock_files_pattern(postfix_master_t,postfix_private_t,postfix_private_t)
+
+domtrans_pattern(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t)
allow postfix_master_t postfix_prng_t:file rw_file_perms;
-allow postfix_master_t postfix_public_t:fifo_file create_file_perms;
-allow postfix_master_t postfix_public_t:sock_file create_file_perms;
-allow postfix_master_t postfix_public_t:dir rw_dir_perms;
+manage_fifo_files_pattern(postfix_master_t,postfix_public_t,postfix_public_t)
+manage_sock_files_pattern(postfix_master_t,postfix_public_t,postfix_public_t)
+
+domtrans_pattern(postfix_master_t, postfix_showq_exec_t, postfix_showq_t)
# allow access to deferred queue and allow removing bogus incoming entries
-allow postfix_master_t postfix_spool_t:dir create_dir_perms;
-allow postfix_master_t postfix_spool_t:file create_file_perms;
+manage_dirs_pattern(postfix_master_t,postfix_spool_t,postfix_spool_t)
+manage_files_pattern(postfix_master_t,postfix_spool_t,postfix_spool_t)
allow postfix_master_t postfix_spool_bounce_t:dir manage_dir_perms;
allow postfix_master_t postfix_spool_bounce_t:file getattr;
-allow postfix_master_t postfix_spool_flush_t:dir create_dir_perms;
-allow postfix_master_t postfix_spool_flush_t:file create_file_perms;
-allow postfix_master_t postfix_spool_flush_t:lnk_file create_lnk_perms;
+manage_dirs_pattern(postfix_master_t,postfix_spool_flush_t,postfix_spool_flush_t)
+manage_files_pattern(postfix_master_t,postfix_spool_flush_t,postfix_spool_flush_t)
+manage_lnk_files_pattern(postfix_master_t,postfix_spool_flush_t,postfix_spool_flush_t)
-allow postfix_master_t postfix_spool_maildrop_t:dir rw_dir_perms;
-allow postfix_master_t postfix_spool_maildrop_t:file { unlink rename getattr };
+delete_files_pattern(postfix_master_t,postfix_spool_maildrop_t,postfix_spool_maildrop_t)
+rename_files_pattern(postfix_master_t,postfix_spool_maildrop_t,postfix_spool_maildrop_t)
kernel_read_all_sysctls(postfix_master_t)
@@ -196,21 +198,11 @@ optional_policy(`
ifdef(`distro_redhat',`
# for newer main.cf that uses /etc/aliases
- allow postfix_master_t etc_t:dir rw_dir_perms;
- allow postfix_master_t etc_aliases_t:dir create_dir_perms;
- allow postfix_master_t etc_aliases_t:file create_file_perms;
- allow postfix_master_t etc_aliases_t:lnk_file create_lnk_perms;
- allow postfix_master_t etc_aliases_t:sock_file create_file_perms;
- allow postfix_master_t etc_aliases_t:fifo_file create_file_perms;
- type_transition postfix_master_t etc_t:{ file lnk_file sock_file fifo_file } etc_aliases_t;
-
- allow postfix_master_t postfix_etc_t:dir rw_dir_perms;
- allow postfix_master_t etc_aliases_t:dir create_dir_perms;
- allow postfix_master_t etc_aliases_t:file create_file_perms;
- allow postfix_master_t etc_aliases_t:lnk_file create_lnk_perms;
- allow postfix_master_t etc_aliases_t:sock_file create_file_perms;
- allow postfix_master_t etc_aliases_t:fifo_file create_file_perms;
- type_transition postfix_master_t postfix_etc_t:{ dir file lnk_file sock_file fifo_file } etc_aliases_t;
+ allow postfix_master_t etc_aliases_t:dir manage_dir_perms;
+ allow postfix_master_t etc_aliases_t:file manage_file_perms;
+ allow postfix_master_t etc_aliases_t:lnk_file manage_lnk_file_perms;
+ mta_etc_filetrans_aliases(postfix_master_t)
+ filetrans_pattern(postfix_master_t,postfix_etc_t,etc_aliases_t,{ dir file lnk_file })
')
# end partially converted rules
@@ -226,13 +218,13 @@ allow postfix_bounce_t self:tcp_socket create_socket_perms;
allow postfix_bounce_t postfix_public_t:sock_file write;
allow postfix_bounce_t postfix_public_t:dir search;
-allow postfix_bounce_t postfix_spool_t:dir create_dir_perms;
-allow postfix_bounce_t postfix_spool_t:file create_file_perms;
-allow postfix_bounce_t postfix_spool_t:lnk_file create_lnk_perms;
+manage_dirs_pattern(postfix_bounce_t,postfix_spool_t,postfix_spool_t)
+manage_files_pattern(postfix_bounce_t,postfix_spool_t,postfix_spool_t)
+manage_lnk_files_pattern(postfix_bounce_t,postfix_spool_t,postfix_spool_t)
-allow postfix_bounce_t postfix_spool_bounce_t:dir create_dir_perms;
-allow postfix_bounce_t postfix_spool_bounce_t:file create_file_perms;
-allow postfix_bounce_t postfix_spool_bounce_t:lnk_file create_lnk_perms;
+manage_dirs_pattern(postfix_bounce_t,postfix_spool_bounce_t,postfix_spool_bounce_t)
+manage_files_pattern(postfix_bounce_t,postfix_spool_bounce_t,postfix_spool_bounce_t)
+manage_lnk_files_pattern(postfix_bounce_t,postfix_spool_bounce_t,postfix_spool_bounce_t)
########################################
#
@@ -242,19 +234,16 @@ allow postfix_bounce_t postfix_spool_bounce_t:lnk_file create_lnk_perms;
allow postfix_cleanup_t self:process setrlimit;
# connect to master process
-allow postfix_cleanup_t postfix_master_t:unix_stream_socket connectto;
-allow postfix_cleanup_t postfix_private_t:dir search;
-allow postfix_cleanup_t postfix_private_t:sock_file rw_file_perms;
+stream_connect_pattern(postfix_cleanup_t,postfix_private_t,postfix_private_t,postfix_master_t)
-allow postfix_cleanup_t postfix_public_t:fifo_file rw_file_perms;
-allow postfix_cleanup_t postfix_public_t:sock_file { getattr write };
-allow postfix_cleanup_t postfix_public_t:dir search;
+rw_fifo_files_pattern(postfix_cleanup_t,postfix_public_t,postfix_public_t)
+write_sock_files_pattern(postfix_cleanup_t,postfix_public_t,postfix_public_t)
-allow postfix_cleanup_t postfix_spool_t:dir create_dir_perms;
-allow postfix_cleanup_t postfix_spool_t:file create_file_perms;
-allow postfix_cleanup_t postfix_spool_t:lnk_file create_lnk_perms;
+manage_dirs_pattern(postfix_cleanup_t,postfix_spool_t,postfix_spool_t)
+manage_files_pattern(postfix_cleanup_t,postfix_spool_t,postfix_spool_t)
+manage_lnk_files_pattern(postfix_cleanup_t,postfix_spool_t,postfix_spool_t)
-allow postfix_cleanup_t postfix_spool_bounce_t:dir r_dir_perms;
+allow postfix_cleanup_t postfix_spool_bounce_t:dir list_dir_perms;
corecmd_exec_bin(postfix_cleanup_t)
@@ -263,21 +252,18 @@ corecmd_exec_bin(postfix_cleanup_t)
# Postfix local local policy
#
-allow postfix_local_t self:fifo_file rw_file_perms;
+allow postfix_local_t self:fifo_file rw_fifo_file_perms;
allow postfix_local_t self:process { setsched setrlimit };
-allow postfix_local_t postfix_local_tmp_t:dir create_dir_perms;
-allow postfix_local_t postfix_local_tmp_t:file create_file_perms;
+manage_dirs_pattern(postfix_local_t,postfix_local_tmp_t,postfix_local_tmp_t)
+manage_files_pattern(postfix_local_t,postfix_local_tmp_t,postfix_local_tmp_t)
files_tmp_filetrans(postfix_local_t, postfix_local_tmp_t, { file dir })
# connect to master process
-allow postfix_local_t postfix_master_t:unix_stream_socket connectto;
-allow postfix_local_t postfix_public_t:dir search;
-allow postfix_local_t postfix_public_t:sock_file write;
+stream_connect_pattern(postfix_local_t,postfix_public_t,postfix_public_t,postfix_master_t)
# for .forward - maybe we need a new type for it?
-allow postfix_local_t postfix_private_t:dir search;
-allow postfix_local_t postfix_private_t:sock_file rw_file_perms;
+rw_sock_files_pattern(postfix_local_t,postfix_private_t,postfix_private_t)
allow postfix_local_t postfix_spool_t:file rw_file_perms;
@@ -315,12 +301,12 @@ allow postfix_map_t self:unix_dgram_socket create_socket_perms;
allow postfix_map_t self:tcp_socket create_stream_socket_perms;
allow postfix_map_t self:udp_socket create_socket_perms;
-allow postfix_map_t postfix_etc_t:dir create_dir_perms;
-allow postfix_map_t postfix_etc_t:file create_file_perms;
-allow postfix_map_t postfix_etc_t:lnk_file create_lnk_perms;
+manage_dirs_pattern(postfix_map_t,postfix_etc_t,postfix_etc_t)
+manage_files_pattern(postfix_map_t,postfix_etc_t,postfix_etc_t)
+manage_lnk_files_pattern(postfix_map_t,postfix_etc_t,postfix_etc_t)
-allow postfix_map_t postfix_map_tmp_t:dir create_dir_perms;
-allow postfix_map_t postfix_map_tmp_t:file create_file_perms;
+manage_dirs_pattern(postfix_map_t,postfix_map_tmp_t,postfix_map_tmp_t)
+manage_files_pattern(postfix_map_t,postfix_map_tmp_t,postfix_map_tmp_t)
files_tmp_filetrans(postfix_map_t, postfix_map_tmp_t, { file dir })
kernel_read_kernel_sysctls(postfix_map_t)
@@ -393,19 +379,15 @@ optional_policy(`
allow postfix_pickup_t self:tcp_socket create_socket_perms;
-allow postfix_pickup_t postfix_master_t:unix_stream_socket connectto;
+stream_connect_pattern(postfix_pickup_t,postfix_private_t,postfix_private_t,postfix_master_t)
-allow postfix_pickup_t postfix_private_t:dir search;
-allow postfix_pickup_t postfix_private_t:sock_file write;
-
-allow postfix_pickup_t postfix_public_t:fifo_file rw_file_perms;
-allow postfix_pickup_t postfix_public_t:sock_file rw_file_perms;
-allow postfix_pickup_t postfix_public_t:dir search;
+rw_fifo_files_pattern(postfix_pickup_t,postfix_public_t,postfix_public_t)
+rw_sock_files_pattern(postfix_pickup_t,postfix_public_t,postfix_public_t)
postfix_list_spool(postfix_pickup_t)
-allow postfix_pickup_t postfix_spool_maildrop_t:dir rw_dir_perms;
-allow postfix_pickup_t postfix_spool_maildrop_t:file r_file_perms;
-allow postfix_pickup_t postfix_spool_maildrop_t:file unlink;
+
+read_files_pattern(postfix_pickup_t,postfix_spool_maildrop_t,postfix_spool_maildrop_t)
+delete_files_pattern(postfix_pickup_t,postfix_spool_maildrop_t,postfix_spool_maildrop_t)
########################################
#
@@ -414,14 +396,11 @@ allow postfix_pickup_t postfix_spool_maildrop_t:file unlink;
allow postfix_pipe_t self:fifo_file { read write };
-allow postfix_pipe_t postfix_private_t:dir search;
-allow postfix_pipe_t postfix_private_t:sock_file write;
+write_sock_files_pattern(postfix_pipe_t,postfix_private_t,postfix_private_t)
-allow postfix_pipe_t postfix_public_t:fifo_file { getattr write };
-allow postfix_pipe_t postfix_public_t:dir search;
+write_fifo_files_pattern(postfix_pipe_t,postfix_public_t,postfix_public_t)
-allow postfix_pipe_t postfix_spool_t:dir search;
-allow postfix_pipe_t postfix_spool_t:file rw_file_perms;
+rw_files_pattern(postfix_pipe_t,postfix_spool_t,postfix_spool_t)
optional_policy(`
procmail_domtrans(postfix_pipe_t)
@@ -445,12 +424,10 @@ allow postfix_postdrop_t self:capability sys_resource;
allow postfix_postdrop_t self:tcp_socket create;
allow postfix_postdrop_t self:udp_socket create_socket_perms;
-allow postfix_postdrop_t postfix_public_t:dir search;
-allow postfix_postdrop_t postfix_public_t:fifo_file rw_file_perms;
+rw_fifo_files_pattern(postfix_postdrop_t,postfix_public_t,postfix_public_t)
postfix_list_spool(postfix_postdrop_t)
-allow postfix_postdrop_t postfix_spool_maildrop_t:dir rw_dir_perms;
-allow postfix_postdrop_t postfix_spool_maildrop_t:file create_file_perms;
+manage_files_pattern(postfix_postdrop_t,postfix_spool_maildrop_t,postfix_spool_maildrop_t)
corenet_udp_sendrecv_all_if(postfix_postdrop_t)
corenet_udp_sendrecv_all_nodes(postfix_postdrop_t)
@@ -485,24 +462,12 @@ allow postfix_postqueue_t self:tcp_socket create;
allow postfix_postqueue_t self:udp_socket { create ioctl };
# wants to write to /var/spool/postfix/public/showq
-allow postfix_postqueue_t postfix_public_t:sock_file rw_file_perms;
-allow postfix_postqueue_t postfix_master_t:unix_stream_socket connectto;
+stream_connect_pattern(postfix_postqueue_t,postfix_public_t,postfix_public_t,postfix_master_t)
-allow postfix_postqueue_t postfix_public_t:dir search;
# write to /var/spool/postfix/public/qmgr
-allow postfix_postqueue_t postfix_public_t:fifo_file { getattr write };
+write_fifo_files_pattern(postfix_postqueue_t,postfix_public_t,postfix_public_t)
-domain_auto_trans(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t)
-allow postfix_master_t postfix_postqueue_t:fd use;
-allow postfix_postqueue_t postfix_master_t:fd use;
-allow postfix_postqueue_t postfix_master_t:fifo_file rw_file_perms;
-allow postfix_postqueue_t postfix_master_t:process sigchld;
-
-domain_auto_trans(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t)
-allow postfix_postqueue_t postfix_showq_t:fd use;
-allow postfix_showq_t postfix_postqueue_t:fd use;
-allow postfix_showq_t postfix_postqueue_t:fifo_file rw_file_perms;
-allow postfix_showq_t postfix_postqueue_t:process sigchld;
+domtrans_pattern(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t)
# to write the mailq output, it really should not need read access!
term_use_all_user_ptys(postfix_postqueue_t)
@@ -518,19 +483,14 @@ sysnet_dontaudit_read_config(postfix_postqueue_t)
# Postfix qmgr local policy
#
-allow postfix_qmgr_t postfix_master_t:unix_stream_socket connectto;
+stream_connect_pattern(postfix_qmgr_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t)
-allow postfix_qmgr_t postfix_private_t:dir search;
-allow postfix_qmgr_t postfix_private_t:sock_file rw_file_perms;
-
-allow postfix_qmgr_t postfix_public_t:fifo_file rw_file_perms;
-allow postfix_qmgr_t postfix_public_t:sock_file write;
-allow postfix_qmgr_t postfix_public_t:dir search;
+rw_fifo_files_pattern(postfix_qmgr_t,postfix_public_t,postfix_public_t)
# for /var/spool/postfix/active
-allow postfix_qmgr_t postfix_spool_t:dir create_dir_perms;
-allow postfix_qmgr_t postfix_spool_t:file create_file_perms;
-allow postfix_qmgr_t postfix_spool_t:lnk_file create_lnk_perms;
+manage_dirs_pattern(postfix_qmgr_t,postfix_spool_t,postfix_spool_t)
+manage_files_pattern(postfix_qmgr_t,postfix_spool_t,postfix_spool_t)
+manage_lnk_files_pattern(postfix_qmgr_t,postfix_spool_t,postfix_spool_t)
allow postfix_qmgr_t postfix_spool_bounce_t:dir { getattr read search };
allow postfix_qmgr_t postfix_spool_bounce_t:file { read getattr };
@@ -546,16 +506,9 @@ corecmd_exec_bin(postfix_qmgr_t)
allow postfix_showq_t self:capability { setuid setgid };
allow postfix_showq_t self:tcp_socket create_socket_perms;
-# the following auto_trans is usually in postfix server domain
-domain_auto_trans(postfix_master_t, postfix_showq_exec_t, postfix_showq_t)
-allow postfix_master_t postfix_showq_t:fd use;
-allow postfix_showq_t postfix_master_t:fd use;
-allow postfix_showq_t postfix_master_t:fifo_file rw_file_perms;
-allow postfix_showq_t postfix_master_t:process sigchld;
-
allow postfix_showq_t postfix_master_t:unix_stream_socket { accept rw_socket_perms };
-allow postfix_showq_t postfix_spool_t:file r_file_perms;
+allow postfix_showq_t postfix_spool_t:file read_file_perms;
postfix_list_spool(postfix_showq_t)
@@ -577,9 +530,9 @@ sysnet_dns_name_resolve(postfix_showq_t)
allow postfix_smtp_t self:netlink_route_socket r_netlink_socket_perms;
# connect to master process
-allow postfix_smtp_t postfix_master_t:unix_stream_socket connectto;
-allow postfix_smtp_t { postfix_private_t postfix_public_t }:dir search;
-allow postfix_smtp_t { postfix_private_t postfix_public_t }:sock_file write;
+stream_connect_pattern(postfix_smtp_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t)
+
+allow postfix_smtp_t postfix_prng_t:file rw_file_perms;
allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
@@ -594,13 +547,11 @@ optional_policy(`
allow postfix_smtpd_t postfix_master_t:tcp_socket rw_stream_socket_perms;
# connect to master process
-allow postfix_smtpd_t postfix_master_t:unix_stream_socket connectto;
-allow postfix_smtpd_t { postfix_private_t postfix_public_t }:dir search;
-allow postfix_smtpd_t { postfix_private_t postfix_public_t }:sock_file rw_file_perms;
+stream_connect_pattern(postfix_smtpd_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t)
# for prng_exch
allow postfix_smtpd_t postfix_spool_t:file rw_file_perms;
-allow { postfix_smtp_t postfix_smtpd_t } postfix_prng_t:file rw_file_perms;
+allow postfix_smtpd_t postfix_prng_t:file rw_file_perms;
corecmd_exec_bin(postfix_smtpd_t)
diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if
index 2025d034..da913c4c 100644
--- a/policy/modules/services/postgresql.if
+++ b/policy/modules/services/postgresql.if
@@ -52,12 +52,7 @@ interface(`postgresql_domtrans',`
type postgresql_t, postgresql_exec_t;
')
- domain_auto_trans($1,postgresql_exec_t,postgresql_t)
-
- allow $1 postgresql_t:fd use;
- allow postgresql_t $1:fd use;
- allow postgresql_t $1:fifo_file rw_file_perms;
- allow postgresql_t $1:process sigchld;
+ domtrans_pattern($1,postgresql_exec_t,postgresql_t)
')
########################################
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
index d0452c63..41880818 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -44,38 +44,36 @@ allow postgresql_t self:unix_dgram_socket create_socket_perms;
allow postgresql_t self:unix_stream_socket create_stream_socket_perms;
allow postgresql_t self:netlink_route_socket r_netlink_socket_perms;
-allow postgresql_t postgresql_db_t:dir create_dir_perms;
-allow postgresql_t postgresql_db_t:fifo_file create_file_perms;
-allow postgresql_t postgresql_db_t:file create_file_perms;
-allow postgresql_t postgresql_db_t:lnk_file create_lnk_perms;
-allow postgresql_t postgresql_db_t:sock_file create_file_perms;
+manage_dirs_pattern(postgresql_t,postgresql_db_t,postgresql_db_t)
+manage_files_pattern(postgresql_t,postgresql_db_t,postgresql_db_t)
+manage_lnk_files_pattern(postgresql_t,postgresql_db_t,postgresql_db_t)
+manage_fifo_files_pattern(postgresql_t,postgresql_db_t,postgresql_db_t)
+manage_sock_files_pattern(postgresql_t,postgresql_db_t,postgresql_db_t)
files_var_lib_filetrans(postgresql_t, postgresql_db_t, { dir file lnk_file sock_file fifo_file })
-allow postgresql_t postgresql_etc_t:dir r_dir_perms;
-allow postgresql_t postgresql_etc_t:file r_file_perms;
-allow postgresql_t postgresql_etc_t:lnk_file { getattr read };
+allow postgresql_t postgresql_etc_t:dir list_dir_perms;
+read_files_pattern(postgresql_t,postgresql_etc_t,postgresql_etc_t)
+read_lnk_files_pattern(postgresql_t,postgresql_etc_t,postgresql_etc_t)
allow postgresql_t postgresql_exec_t:lnk_file { getattr read };
can_exec(postgresql_t, postgresql_exec_t )
-allow postgresql_t postgresql_lock_t:file create_file_perms;
+allow postgresql_t postgresql_lock_t:file manage_file_perms;
files_lock_filetrans(postgresql_t,postgresql_lock_t,file)
-allow postgresql_t postgresql_log_t:dir rw_dir_perms;
-allow postgresql_t postgresql_log_t:file create_file_perms;
+manage_files_pattern(postgresql_t,postgresql_log_t,postgresql_log_t)
logging_log_filetrans(postgresql_t,postgresql_log_t,{ file dir })
-allow postgresql_t postgresql_tmp_t:dir create_dir_perms;
-allow postgresql_t postgresql_tmp_t:fifo_file create_file_perms;
-allow postgresql_t postgresql_tmp_t:file create_file_perms;
-allow postgresql_t postgresql_tmp_t:lnk_file create_lnk_perms;
-allow postgresql_t postgresql_tmp_t:sock_file create_file_perms;
+manage_dirs_pattern(postgresql_t,postgresql_tmp_t,postgresql_tmp_t)
+manage_files_pattern(postgresql_t,postgresql_tmp_t,postgresql_tmp_t)
+manage_lnk_files_pattern(postgresql_t,postgresql_tmp_t,postgresql_tmp_t)
+manage_fifo_files_pattern(postgresql_t,postgresql_tmp_t,postgresql_tmp_t)
+manage_sock_files_pattern(postgresql_t,postgresql_tmp_t,postgresql_tmp_t)
files_tmp_filetrans(postgresql_t, postgresql_tmp_t, { dir file sock_file })
fs_tmpfs_filetrans(postgresql_t, postgresql_tmp_t, { dir file lnk_file sock_file fifo_file })
-allow postgresql_t postgresql_var_run_t:dir rw_dir_perms;
-allow postgresql_t postgresql_var_run_t:file create_file_perms;
-allow postgresql_t postgresql_var_run_t:sock_file create_file_perms;
+manage_files_pattern(postgresql_t,postgresql_var_run_t,postgresql_var_run_t)
+manage_sock_files_pattern(postgresql_t,postgresql_var_run_t,postgresql_var_run_t)
files_pid_filetrans(postgresql_t,postgresql_var_run_t,file)
kernel_read_kernel_sysctls(postgresql_t)
@@ -187,7 +185,6 @@ bool allow_user_postgresql_connect false;
if (allow_user_postgresql_connect) {
# allow any user domain to connect to the database server
-can_tcp_connect(userdomain, postgresql_t)
allow userdomain postgresql_t:unix_stream_socket connectto;
allow userdomain postgresql_var_run_t:sock_file write;
allow userdomain postgresql_tmp_t:sock_file write;
diff --git a/policy/modules/services/postgrey.te b/policy/modules/services/postgrey.te
index 90bccd51..308652dc 100644
--- a/policy/modules/services/postgrey.te
+++ b/policy/modules/services/postgrey.te
@@ -29,17 +29,15 @@ dontaudit postgrey_t self:capability sys_tty_config;
allow postgrey_t self:process signal_perms;
allow postgrey_t self:tcp_socket create_stream_socket_perms;
-allow postgrey_t postgrey_etc_t:file r_file_perms;
-allow postgrey_t postgrey_etc_t:dir r_dir_perms;
-allow postgrey_t postgrey_etc_t:lnk_file { getattr read };
+allow postgrey_t postgrey_etc_t:dir list_dir_perms;
+read_files_pattern(postgrey_t,postgrey_etc_t,postgrey_etc_t)
+read_lnk_files_pattern(postgrey_t,postgrey_etc_t,postgrey_etc_t)
-allow postgrey_t postgrey_var_lib_t:file create_file_perms;
-allow postgrey_t postgrey_var_lib_t:dir rw_dir_perms;
+manage_files_pattern(postgrey_t,postgrey_var_lib_t,postgrey_var_lib_t)
files_var_lib_filetrans(postgrey_t,postgrey_var_lib_t,file)
-allow postgrey_t postgrey_var_run_t:file create_file_perms;
-allow postgrey_t postgrey_var_run_t:sock_file manage_file_perms;
-allow postgrey_t postgrey_var_run_t:dir rw_dir_perms;
+manage_files_pattern(postgrey_t,postgrey_var_run_t,postgrey_var_run_t)
+manage_sock_files_pattern(postgrey_t,postgrey_var_run_t,postgrey_var_run_t)
files_pid_filetrans(postgrey_t,postgrey_var_run_t,{ file sock_file })
kernel_read_system_state(postgrey_t)
diff --git a/policy/modules/services/ppp.if b/policy/modules/services/ppp.if
index 4617701d..036f91e8 100644
--- a/policy/modules/services/ppp.if
+++ b/policy/modules/services/ppp.if
@@ -90,12 +90,7 @@ interface(`ppp_domtrans',`
')
corecmd_search_sbin($1)
- domain_auto_trans($1, pppd_exec_t, pppd_t)
-
- allow $1 pppd_t:fd use;
- allow pppd_t $1:fd use;
- allow pppd_t $1:fifo_file rw_file_perms;
- allow pppd_t $1:process sigchld;
+ domtrans_pattern($1, pppd_exec_t, pppd_t)
')
########################################
@@ -217,7 +212,7 @@ interface(`ppp_read_pid_files',`
type pppd_var_run_t;
')
- allow $1 pppd_var_run_t:file r_file_perms;
+ allow $1 pppd_var_run_t:file read_file_perms;
')
########################################
diff --git a/policy/modules/services/ppp.te b/policy/modules/services/ppp.te
index 70ff15f9..16c92700 100644
--- a/policy/modules/services/ppp.te
+++ b/policy/modules/services/ppp.te
@@ -60,7 +60,7 @@ files_pid_file(pptp_var_run_t)
allow pppd_t self:capability { net_admin setuid setgid fsetid fowner net_raw dac_override };
dontaudit pppd_t self:capability sys_tty_config;
allow pppd_t self:process signal;
-allow pppd_t self:fifo_file rw_file_perms;
+allow pppd_t self:fifo_file rw_fifo_file_perms;
allow pppd_t self:socket create_socket_perms;
allow pppd_t self:unix_dgram_socket create_socket_perms;
allow pppd_t self:unix_stream_socket create_socket_perms;
@@ -69,42 +69,36 @@ allow pppd_t self:tcp_socket create_stream_socket_perms;
allow pppd_t self:udp_socket { connect connected_socket_perms };
allow pppd_t self:packet_socket create_socket_perms;
-domain_auto_trans(pppd_t, pptp_exec_t, pptp_t)
-allow pppd_t pptp_t:fd use;
-allow pptp_t pppd_t:fd use;
-allow pptp_t pppd_t:fifo_file rw_file_perms;
-allow pptp_t pppd_t:process sigchld;
+domtrans_pattern(pppd_t, pptp_exec_t, pptp_t)
-allow pppd_t pppd_devpts_t:chr_file { rw_file_perms setattr };
+allow pppd_t pppd_devpts_t:chr_file { rw_chr_file_perms setattr };
allow pppd_t pppd_etc_t:dir rw_dir_perms;
-allow pppd_t pppd_etc_t:file r_file_perms;
+allow pppd_t pppd_etc_t:file read_file_perms;
allow pppd_t pppd_etc_t:lnk_file { getattr read };
-allow pppd_t pppd_etc_rw_t:dir rw_dir_perms;
-allow pppd_t pppd_etc_rw_t:file create_file_perms;
+manage_files_pattern(pppd_t,pppd_etc_rw_t,pppd_etc_rw_t)
# Automatically label newly created files under /etc/ppp with this type
-type_transition pppd_t pppd_etc_t:file pppd_etc_rw_t;
+filetrans_pattern(pppd_t,pppd_etc_t,pppd_etc_rw_t,file)
-allow pppd_t pppd_lock_t:file create_file_perms;
+allow pppd_t pppd_lock_t:file manage_file_perms;
files_lock_filetrans(pppd_t,pppd_lock_t,file)
-allow pppd_t pppd_log_t:file create_file_perms;
+allow pppd_t pppd_log_t:file manage_file_perms;
logging_log_filetrans(pppd_t,pppd_log_t,file)
-allow pppd_t pppd_tmp_t:dir create_dir_perms;
-allow pppd_t pppd_tmp_t:file create_file_perms;
+manage_dirs_pattern(pppd_t,pppd_tmp_t,pppd_tmp_t)
+manage_files_pattern(pppd_t,pppd_tmp_t,pppd_tmp_t)
files_tmp_filetrans(pppd_t, pppd_tmp_t, { file dir })
-allow pppd_t pppd_var_run_t:dir rw_dir_perms;
-allow pppd_t pppd_var_run_t:file create_file_perms;
+manage_files_pattern(pppd_t,pppd_var_run_t,pppd_var_run_t)
files_pid_filetrans(pppd_t,pppd_var_run_t,file)
allow pppd_t pptp_t:process signal;
# for SSP
# Access secret files
-allow pppd_t pppd_secret_t:file r_file_perms;
+allow pppd_t pppd_secret_t:file read_file_perms;
kernel_read_kernel_sysctls(pppd_t)
kernel_read_system_state(pppd_t)
@@ -253,12 +247,11 @@ can_exec(pptp_t, pppd_etc_rw_t)
# Allow pptp to append to pppd log files
allow pptp_t pppd_log_t:file append;
-allow pptp_t pptp_log_t:file create_file_perms;
+allow pptp_t pptp_log_t:file manage_file_perms;
logging_log_filetrans(pptp_t,pptp_log_t,file)
-allow pptp_t pptp_var_run_t:file create_file_perms;
-allow pptp_t pptp_var_run_t:dir rw_dir_perms;
-allow pptp_t pptp_var_run_t:sock_file create_file_perms;
+manage_files_pattern(pptp_t,pptp_var_run_t,pptp_var_run_t)
+manage_sock_files_pattern(pptp_t,pptp_var_run_t,pptp_var_run_t)
files_pid_filetrans(pptp_t,pptp_var_run_t,file)
kernel_list_proc(pptp_t)
@@ -334,8 +327,4 @@ optional_policy(`
')
# FIXME:
-domain_auto_trans(pppd_t, pppd_script_exec_t, initrc_t)
-allow pppd_t initrc_t:fd use;
-allow initrc_t pppd_t:fd use;
-allow initrc_t pppd_t:fifo_file rw_file_perms;
-allow initrc_t pppd_t:process sigchld;
+domtrans_pattern(pppd_t, pppd_script_exec_t, initrc_t)
diff --git a/policy/modules/services/privoxy.te b/policy/modules/services/privoxy.te
index 56dd6791..3cf9156c 100644
--- a/policy/modules/services/privoxy.te
+++ b/policy/modules/services/privoxy.te
@@ -30,12 +30,10 @@ allow privoxy_t self:tcp_socket create_stream_socket_perms;
allow privoxy_t privoxy_etc_rw_t:file rw_file_perms;
-allow privoxy_t privoxy_log_t:file create_file_perms;
-allow privoxy_t privoxy_log_t:dir rw_dir_perms;
+manage_files_pattern(privoxy_t,privoxy_log_t,privoxy_log_t)
logging_log_filetrans(privoxy_t,privoxy_log_t,file)
-allow privoxy_t privoxy_var_run_t:file create_file_perms;
-allow privoxy_t privoxy_var_run_t:dir rw_dir_perms;
+manage_files_pattern(privoxy_t,privoxy_var_run_t,privoxy_var_run_t)
files_pid_filetrans(privoxy_t,privoxy_var_run_t,file)
kernel_read_kernel_sysctls(privoxy_t)
diff --git a/policy/modules/services/procmail.if b/policy/modules/services/procmail.if
index 078fca3c..440565a1 100644
--- a/policy/modules/services/procmail.if
+++ b/policy/modules/services/procmail.if
@@ -17,12 +17,7 @@ interface(`procmail_domtrans',`
files_search_usr($1)
corecmd_search_bin($1)
- domain_auto_trans($1,procmail_exec_t,procmail_t)
-
- allow $1 procmail_t:fd use;
- allow procmail_t $1:fd use;
- allow procmail_t $1:fifo_file rw_file_perms;
- allow procmail_t $1:process sigchld;
+ domtrans_pattern($1,procmail_exec_t,procmail_t)
')
########################################
diff --git a/policy/modules/services/procmail.te b/policy/modules/services/procmail.te
index a841b193..03fc8c3c 100644
--- a/policy/modules/services/procmail.te
+++ b/policy/modules/services/procmail.te
@@ -19,7 +19,7 @@ role system_r types procmail_t;
allow procmail_t self:capability { sys_nice chown setuid setgid dac_override };
allow procmail_t self:process { setsched signal };
-allow procmail_t self:fifo_file rw_file_perms;
+allow procmail_t self:fifo_file rw_fifo_file_perms;
allow procmail_t self:unix_stream_socket create_socket_perms;
allow procmail_t self:unix_dgram_socket create_socket_perms;
allow procmail_t self:tcp_socket create_stream_socket_perms;
diff --git a/policy/modules/services/publicfile.te b/policy/modules/services/publicfile.te
index 7b91ac93..42a09bc1 100644
--- a/policy/modules/services/publicfile.te
+++ b/policy/modules/services/publicfile.te
@@ -20,8 +20,8 @@ files_type(publicfile_content_t)
#
allow publicfile_t self:capability { dac_override setgid setuid sys_chroot };
-allow publicfile_t publicfile_content_t:dir r_dir_perms;
-allow publicfile_t publicfile_content_t:file r_file_perms;
+allow publicfile_t publicfile_content_t:dir list_dir_perms;
+allow publicfile_t publicfile_content_t:file read_file_perms;
files_search_var(publicfile_t)
diff --git a/policy/modules/services/pxe.te b/policy/modules/services/pxe.te
index d992e7d0..4903e408 100644
--- a/policy/modules/services/pxe.te
+++ b/policy/modules/services/pxe.te
@@ -27,11 +27,10 @@ allow pxe_t self:capability { chown setgid setuid };
dontaudit pxe_t self:capability sys_tty_config;
allow pxe_t self:process signal_perms;
-allow pxe_t pxe_log_t:file create_file_perms;
+allow pxe_t pxe_log_t:file manage_file_perms;
logging_log_filetrans(pxe_t,pxe_log_t,file)
-allow pxe_t pxe_var_run_t:file create_file_perms;
-allow pxe_t pxe_var_run_t:dir rw_dir_perms;
+manage_files_pattern(pxe_t,pxe_var_run_t,pxe_var_run_t)
files_pid_filetrans(pxe_t,pxe_var_run_t,file)
kernel_read_kernel_sysctls(pxe_t)
diff --git a/policy/modules/services/pyzor.if b/policy/modules/services/pyzor.if
index c611aa5c..0b98efe8 100644
--- a/policy/modules/services/pyzor.if
+++ b/policy/modules/services/pyzor.if
@@ -17,12 +17,7 @@ interface(`pyzor_domtrans',`
files_search_usr($1)
corecmd_search_bin($1)
- domain_auto_trans($1,pyzor_exec_t,pyzor_t)
-
- allow $1 pyzor_t:fd use;
- allow pyzor_t $1:fd use;
- allow pyzor_t $1:fifo_file rw_file_perms;
- allow pyzor_t $1:process sigchld;
+ domtrans_pattern($1,pyzor_exec_t,pyzor_t)
')
########################################
@@ -72,9 +67,9 @@ template(`pyzor_per_role_template',`
type $1_pyzor_home_t;
userdom_user_home_content($1,$1_pyzor_home_t)
- allow pyzord_t $1_pyzor_home_t:dir create_dir_perms;
- allow pyzord_t $1_pyzor_home_t:file create_file_perms;
- allow pyzord_t $1_pyzor_home_t:lnk_file create_lnk_perms;
+ manage_dirs_pattern(pyzord_t,$1_pyzor_home_t,$1_pyzor_home_t)
+ manage_files_pattern(pyzord_t,$1_pyzor_home_t,$1_pyzor_home_t)
+ manage_lnk_files_pattern(pyzord_t,$1_pyzor_home_t,$1_pyzor_home_t)
userdom_search_user_home_dirs($1,pyzord_t)
userdom_user_home_dir_filetrans($1,pyzord_t,$1_pyzor_home_t,{ dir file lnk_file })
')
diff --git a/policy/modules/services/pyzor.te b/policy/modules/services/pyzor.te
index 8ba67e54..f430d8ff 100644
--- a/policy/modules/services/pyzor.te
+++ b/policy/modules/services/pyzor.te
@@ -33,8 +33,8 @@ files_type(pyzor_var_lib_t)
allow pyzor_t self:udp_socket create_socket_perms;
-allow pyzor_t pyzor_var_lib_t:dir r_dir_perms;
-allow pyzor_t pyzor_var_lib_t:file r_file_perms;
+allow pyzor_t pyzor_var_lib_t:dir list_dir_perms;
+read_files_pattern(pyzor_t,pyzor_var_lib_t,pyzor_var_lib_t)
files_search_var_lib(pyzor_t)
kernel_read_kernel_sysctls(pyzor_t)
@@ -76,17 +76,17 @@ optional_policy(`
allow pyzord_t self:udp_socket create_socket_perms;
-allow pyzord_t pyzor_var_lib_t:file create_file_perms;
-allow pyzord_t pyzor_var_lib_t:dir { rw_dir_perms setattr };
+manage_files_pattern(pyzord_t,pyzor_var_lib_t,pyzor_var_lib_t)
+allow pyzord_t pyzor_var_lib_t:dir setattr;
files_var_lib_filetrans(pyzord_t,pyzor_var_lib_t,{ file dir })
-allow pyzord_t pyzor_etc_t:file create_file_perms;
-allow pyzord_t pyzor_etc_t:dir r_dir_perms;
+read_files_pattern(pyzord_t,pyzor_etc_t,pyzor_etc_t)
+allow pyzord_t pyzor_etc_t:dir list_dir_perms;
can_exec(pyzord_t,pyzor_exec_t)
-allow pyzord_t pyzord_log_t:file create_file_perms;
-allow pyzord_t pyzord_log_t:dir { rw_dir_perms setattr };
+manage_files_pattern(pyzord_t,pyzord_log_t,pyzord_log_t)
+allow pyzord_t pyzord_log_t:dir setattr;
logging_log_filetrans(pyzord_t,pyzord_log_t, { file dir } )
kernel_read_kernel_sysctls(pyzord_t)
diff --git a/policy/modules/services/qmail.if b/policy/modules/services/qmail.if
index 09a38634..6cb2442b 100644
--- a/policy/modules/services/qmail.if
+++ b/policy/modules/services/qmail.if
@@ -109,10 +109,7 @@ interface(`qmail_domtrans_inject',`
type qmail_inject_exec_t;
')
- domain_auto_trans($1, qmail_inject_exec_t, qmail_inject_t)
- allow qmail_inject_t $1:fd use;
- allow qmail_inject_t $1:fifo_file { read write };
- allow qmail_inject_t $1:process sigchld;
+ domtrans_pattern($1, qmail_inject_exec_t, qmail_inject_t)
ifdef(`distro_debian',`
files_search_usr($1)
@@ -139,11 +136,7 @@ interface(`qmail_domtrans_queue',`
type qmail_queue_exec_t;
')
- domain_auto_trans($1, qmail_queue_exec_t, qmail_queue_t)
-
- allow qmail_queue_t $1:fd use;
- allow qmail_queue_t $1:fifo_file { read write };
- allow qmail_queue_t $1:process sigchld;
+ domtrans_pattern($1, qmail_queue_exec_t, qmail_queue_t)
ifdef(`distro_debian',`
files_search_usr($1)
@@ -202,9 +195,5 @@ interface(`qmail_smtpd_service_domain',`
type qmail_smtpd_t;
')
- domain_auto_trans(qmail_smtpd_t, $2, $1)
-
- allow $1 qmail_smtpd_t:fd use;
- allow $1 qmail_smtpd_t:fifo_file { read write };
- allow $1 qmail_smtpd_t:process sigchld;
+ domtrans_pattern(qmail_smtpd_t, $2, $1)
')
diff --git a/policy/modules/services/qmail.te b/policy/modules/services/qmail.te
index 5c02d302..96ee18af 100644
--- a/policy/modules/services/qmail.te
+++ b/policy/modules/services/qmail.te
@@ -65,8 +65,8 @@ domain_entry_file(qmail_tcp_env_t,qmail_tcp_env_exec_t)
# this component cleans up the queue directory
#
-allow qmail_clean_t qmail_spool_t:dir rw_dir_perms;
-allow qmail_clean_t qmail_spool_t:file { unlink read getattr };
+read_files_pattern(qmail_clean_t,qmail_spool_t,qmail_spool_t)
+delete_files_pattern(qmail_clean_t,qmail_spool_t,qmail_spool_t)
########################################
#
@@ -99,12 +99,12 @@ allow qmail_local_t self:fifo_file write;
allow qmail_local_t self:process signal_perms;
allow qmail_local_t self:unix_stream_socket create_stream_socket_perms;
-allow qmail_local_t qmail_alias_home_t:dir create_dir_perms;
-allow qmail_local_t qmail_alias_home_t:file create_file_perms;
+manage_dirs_pattern(qmail_local_t,qmail_alias_home_t,qmail_alias_home_t)
+manage_files_pattern(qmail_local_t,qmail_alias_home_t,qmail_alias_home_t)
allow qmail_local_t qmail_queue_exec_t:file read;
-allow qmail_local_t qmail_spool_t:file r_file_perms;
+allow qmail_local_t qmail_spool_t:file read_file_perms;
kernel_read_system_state(qmail_local_t)
@@ -133,8 +133,7 @@ can_exec(qmail_lspawn_t, qmail_exec_t)
allow qmail_lspawn_t qmail_local_exec_t:file read;
-allow qmail_lspawn_t qmail_spool_t:dir search;
-allow qmail_lspawn_t qmail_spool_t:file { read getattr };
+read_files_pattern(qmail_lspawn_t,qmail_spool_t,qmail_spool_t)
corecmd_search_sbin(qmail_lspawn_t)
@@ -155,9 +154,9 @@ allow qmail_queue_t qmail_smtpd_t:fd use;
allow qmail_queue_t qmail_smtpd_t:fifo_file read;
allow qmail_queue_t qmail_smtpd_t:process sigchld;
-allow qmail_queue_t qmail_spool_t:dir create_dir_perms;
-allow qmail_queue_t qmail_spool_t:fifo_file { read write };
-allow qmail_queue_t qmail_spool_t:file create_file_perms;
+manage_dirs_pattern(qmail_queue_t,qmail_spool_t,qmail_spool_t)
+manage_files_pattern(qmail_queue_t,qmail_spool_t,qmail_spool_t)
+rw_fifo_files_pattern(qmail_queue_t,qmail_spool_t,qmail_spool_t)
optional_policy(`
daemontools_ipc_domain(qmail_queue_t)
@@ -172,8 +171,7 @@ optional_policy(`
allow qmail_remote_t self:tcp_socket create_socket_perms;
allow qmail_remote_t self:udp_socket create_socket_perms;
-allow qmail_remote_t qmail_spool_t:dir search;
-allow qmail_remote_t qmail_spool_t:file rw_file_perms;
+rw_files_pattern(qmail_remote_t,qmail_spool_t,qmail_spool_t)
corenet_non_ipsec_sendrecv(qmail_remote_t)
corenet_tcp_sendrecv_generic_if(qmail_remote_t)
@@ -201,8 +199,7 @@ allow qmail_rspawn_t self:fifo_file read;
allow qmail_rspawn_t qmail_remote_exec_t:file read;
-allow qmail_rspawn_t qmail_spool_t:dir search;
-allow qmail_rspawn_t qmail_spool_t:file rw_file_perms;
+rw_files_pattern(qmail_rspawn_t,qmail_spool_t,qmail_spool_t)
corecmd_search_bin(qmail_rspawn_t)
corecmd_search_sbin(qmail_rspawn_t)
@@ -216,9 +213,9 @@ corecmd_search_sbin(qmail_rspawn_t)
allow qmail_send_t self:process signal_perms;
allow qmail_send_t self:fifo_file write;
-allow qmail_send_t qmail_spool_t:dir create_dir_perms;
-allow qmail_send_t qmail_spool_t:file create_file_perms;
-allow qmail_send_t qmail_spool_t:fifo_file read;
+manage_dirs_pattern(qmail_send_t,qmail_spool_t,qmail_spool_t)
+manage_files_pattern(qmail_send_t,qmail_spool_t,qmail_spool_t)
+read_fifo_files_pattern(qmail_send_t,qmail_spool_t,qmail_spool_t)
qmail_domtrans_queue(qmail_send_t)
diff --git a/policy/modules/services/radius.te b/policy/modules/services/radius.te
index a99fd39c..5123bc9d 100644
--- a/policy/modules/services/radius.te
+++ b/policy/modules/services/radius.te
@@ -32,27 +32,26 @@ files_pid_file(radiusd_var_run_t)
allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config };
dontaudit radiusd_t self:capability sys_tty_config;
allow radiusd_t self:process { setsched signal };
-allow radiusd_t self:fifo_file rw_file_perms;
+allow radiusd_t self:fifo_file rw_fifo_file_perms;
allow radiusd_t self:unix_stream_socket create_stream_socket_perms;
allow radiusd_t self:tcp_socket create_stream_socket_perms;
allow radiusd_t self:udp_socket create_socket_perms;
-allow radiusd_t radiusd_etc_t:file r_file_perms;
allow radiusd_t radiusd_etc_t:dir r_dir_perms;
-allow radiusd_t radiusd_etc_t:lnk_file { getattr read };
+read_files_pattern(radiusd_t,radiusd_etc_t,radiusd_etc_t)
+read_lnk_files_pattern(radiusd_t,radiusd_etc_t,radiusd_etc_t)
files_search_etc(radiusd_t)
-allow radiusd_t radiusd_etc_rw_t:dir create_dir_perms;
-allow radiusd_t radiusd_etc_rw_t:file create_file_perms;
-allow radiusd_t radiusd_etc_rw_t:lnk_file create_lnk_perms;
-type_transition radiusd_t radiusd_etc_t:{ dir file lnk_file } radiusd_etc_rw_t;
+manage_dirs_pattern(radiusd_t,radiusd_etc_rw_t,radiusd_etc_rw_t)
+manage_files_pattern(radiusd_t,radiusd_etc_rw_t,radiusd_etc_rw_t)
+manage_lnk_files_pattern(radiusd_t,radiusd_etc_rw_t,radiusd_etc_rw_t)
+filetrans_pattern(radiusd_t,radiusd_etc_t,radiusd_etc_rw_t,{ dir file lnk_file })
-allow radiusd_t radiusd_log_t:file create_file_perms;
-allow radiusd_t radiusd_log_t:dir create_dir_perms;
+manage_dirs_pattern(radiusd_t,radiusd_log_t,radiusd_log_t)
+manage_files_pattern(radiusd_t,radiusd_log_t,radiusd_log_t)
logging_log_filetrans(radiusd_t,radiusd_log_t,{ file dir })
-allow radiusd_t radiusd_var_run_t:file create_file_perms;
-allow radiusd_t radiusd_var_run_t:dir rw_dir_perms;
+manage_files_pattern(radiusd_t,radiusd_var_run_t,radiusd_var_run_t)
files_pid_filetrans(radiusd_t,radiusd_var_run_t,file)
kernel_read_kernel_sysctls(radiusd_t)
diff --git a/policy/modules/services/radvd.te b/policy/modules/services/radvd.te
index 6fb98a93..970a7131 100644
--- a/policy/modules/services/radvd.te
+++ b/policy/modules/services/radvd.te
@@ -30,8 +30,7 @@ allow radvd_t self:udp_socket create_socket_perms;
allow radvd_t radvd_etc_t:file { getattr read };
-allow radvd_t radvd_var_run_t:file create_file_perms;
-allow radvd_t radvd_var_run_t:dir rw_dir_perms;
+manage_files_pattern(radvd_t,radvd_var_run_t,radvd_var_run_t)
files_pid_filetrans(radvd_t,radvd_var_run_t,file)
kernel_read_kernel_sysctls(radvd_t)
diff --git a/policy/modules/services/razor.if b/policy/modules/services/razor.if
index 9a1bff69..c58bfdf1 100644
--- a/policy/modules/services/razor.if
+++ b/policy/modules/services/razor.if
@@ -26,7 +26,7 @@ template(`razor_common_domain_template',`
allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow $1_t self:fd use;
- allow $1_t self:fifo_file rw_file_perms;
+ allow $1_t self:fifo_file rw_fifo_file_perms;
allow $1_t self:unix_dgram_socket create_socket_perms;
allow $1_t self:unix_stream_socket create_stream_socket_perms;
allow $1_t self:unix_dgram_socket sendto;
@@ -42,14 +42,14 @@ template(`razor_common_domain_template',`
allow $1_t razor_etc_t:file read_file_perms;
allow $1_t razor_etc_t:lnk_file { getattr read };
- allow $1_t razor_log_t:dir manage_dir_perms;
- allow $1_t razor_log_t:file manage_file_perms;
- allow $1_t razor_log_t:lnk_file create_lnk_perms;
+ manage_dirs_pattern($1_t,razor_log_t,razor_log_t)
+ manage_files_pattern($1_t,razor_log_t,razor_log_t)
+ manage_lnk_files_pattern($1_t,razor_log_t,razor_log_t)
logging_log_filetrans($1_t,razor_log_t,file)
- allow $1_t razor_var_lib_t:dir manage_dir_perms;
- allow $1_t razor_var_lib_t:file manage_file_perms;
- allow $1_t razor_var_lib_t:lnk_file create_lnk_perms;
+ manage_dirs_pattern($1_t,razor_var_lib_t,razor_var_lib_t)
+ manage_files_pattern($1_t,razor_var_lib_t,razor_var_lib_t)
+ manage_lnk_files_pattern($1_t,razor_var_lib_t,razor_var_lib_t)
files_search_var_lib($1_t)
# Razor is one executable and several symlinks
@@ -152,24 +152,23 @@ template(`razor_per_role_template',`
allow $1_razor_t self:unix_stream_socket create_stream_socket_perms;
- allow $1_razor_t $1_razor_home_t:dir manage_dir_perms;
- allow $1_razor_t $1_razor_home_t:file manage_file_perms;
- allow $1_razor_t $1_razor_home_t:lnk_file create_lnk_perms;
+ manage_dirs_pattern($1_razor_t,$1_razor_home_t,$1_razor_home_t)
+ manage_files_pattern($1_razor_t,$1_razor_home_t,$1_razor_home_t)
+ manage_lnk_files_pattern($1_razor_t,$1_razor_home_t,$1_razor_home_t)
userdom_user_home_dir_filetrans($1,$1_razor_t,$1_razor_home_t,dir)
- allow $1_razor_t $1_razor_tmp_t:dir create_dir_perms;
- allow $1_razor_t $1_razor_tmp_t:file create_file_perms;
+ manage_dirs_pattern($1_razor_t,$1_razor_tmp_t,$1_razor_tmp_t)
+ manage_files_pattern($1_razor_t,$1_razor_tmp_t,$1_razor_tmp_t)
files_tmp_filetrans($1_razor_t, $1_razor_tmp_t, { file dir })
- domain_auto_trans($2, razor_exec_t, $1_razor_t)
- allow $1_razor_t $2:fd use;
- allow $1_razor_t $2:fifo_file rw_file_perms;
- allow $1_razor_t $2:process sigchld;
+ domtrans_pattern($2, razor_exec_t, $1_razor_t)
- allow $2 $1_razor_home_t:dir manage_dir_perms;
- allow $2 $1_razor_home_t:file manage_file_perms;
- allow $2 $1_razor_home_t:lnk_file create_lnk_perms;
- allow $2 $1_razor_home_t:{ dir file lnk_file } { relabelfrom relabelto };
+ manage_dirs_pattern($2,$1_razor_home_t,$1_razor_home_t)
+ manage_files_pattern($2,$1_razor_home_t,$1_razor_home_t)
+ manage_lnk_files_pattern($2,$1_razor_home_t,$1_razor_home_t)
+ relabel_dirs_pattern($2,$1_razor_home_t,$1_razor_home_t)
+ relabel_files_pattern($2,$1_razor_home_t,$1_razor_home_t)
+ relabel_lnk_files_pattern($2,$1_razor_home_t,$1_razor_home_t)
logging_send_syslog_msg($1_razor_t)
@@ -210,8 +209,5 @@ interface(`razor_domtrans',`
type razor_t, razor_exec_t;
')
- domain_auto_trans($1, razor_exec_t, razor_t)
- allow razor_t $1:fd use;
- allow razor_t $1:fifo_file rw_file_perms;
- allow razor_t $1:process sigchld;
+ domtrans_pattern($1, razor_exec_t, razor_t)
')
diff --git a/policy/modules/services/razor.te b/policy/modules/services/razor.te
index f1d7164b..29916f83 100644
--- a/policy/modules/services/razor.te
+++ b/policy/modules/services/razor.te
@@ -29,16 +29,15 @@ files_type(razor_var_lib_t)
allow razor_t self:tcp_socket create_socket_perms;
-allow razor_t razor_etc_t:dir create_dir_perms;
-allow razor_t razor_etc_t:file create_file_perms;
-allow razor_t razor_etc_t:lnk_file create_lnk_perms;
+manage_dirs_pattern(razor_t,razor_etc_t,razor_etc_t)
+manage_files_pattern(razor_t,razor_etc_t,razor_etc_t)
+manage_lnk_files_pattern(razor_t,razor_etc_t,razor_etc_t)
files_search_etc(razor_t)
-allow razor_t razor_log_t:file create_file_perms;
+allow razor_t razor_log_t:file manage_file_perms;
logging_log_filetrans(razor_t,razor_log_t,file)
-allow razor_t razor_var_lib_t:file create_file_perms;
-allow razor_t razor_var_lib_t:dir rw_dir_perms;
+manage_files_pattern(razor_t,razor_var_lib_t,razor_var_lib_t)
files_var_lib_filetrans(razor_t,razor_var_lib_t,file)
corenet_non_ipsec_sendrecv(razor_t)
diff --git a/policy/modules/services/remotelogin.te b/policy/modules/services/remotelogin.te
index ea2114e4..b5c10ba9 100644
--- a/policy/modules/services/remotelogin.te
+++ b/policy/modules/services/remotelogin.te
@@ -23,8 +23,8 @@ allow remote_login_t self:capability { dac_override chown fowner fsetid kill set
allow remote_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow remote_login_t self:process { setrlimit setexec };
allow remote_login_t self:fd use;
-allow remote_login_t self:fifo_file rw_file_perms;
-allow remote_login_t self:sock_file r_file_perms;
+allow remote_login_t self:fifo_file rw_fifo_file_perms;
+allow remote_login_t self:sock_file read_sock_file_perms;
allow remote_login_t self:unix_dgram_socket create_socket_perms;
allow remote_login_t self:unix_stream_socket create_stream_socket_perms;
allow remote_login_t self:unix_dgram_socket sendto;
@@ -35,8 +35,8 @@ allow remote_login_t self:msgq create_msgq_perms;
allow remote_login_t self:msg { send receive };
allow remote_login_t self:key write;
-allow remote_login_t remote_login_tmp_t:dir create_dir_perms;
-allow remote_login_t remote_login_tmp_t:file create_file_perms;
+manage_dirs_pattern(remote_login_t,remote_login_tmp_t,remote_login_tmp_t)
+manage_files_pattern(remote_login_t,remote_login_tmp_t,remote_login_tmp_t)
files_tmp_filetrans(remote_login_t, remote_login_tmp_t, { file dir })
kernel_read_system_state(remote_login_t)
diff --git a/policy/modules/services/resmgr.te b/policy/modules/services/resmgr.te
index 695d7c6d..890c1ddb 100644
--- a/policy/modules/services/resmgr.te
+++ b/policy/modules/services/resmgr.te
@@ -29,7 +29,7 @@ allow resmgrd_t resmgrd_etc_t:file { getattr read };
files_search_etc(resmgrd_t)
allow resmgrd_t resmgrd_var_run_t:file manage_file_perms;
-allow resmgrd_t resmgrd_var_run_t:sock_file manage_file_perms;
+allow resmgrd_t resmgrd_var_run_t:sock_file manage_sock_file_perms;
files_pid_filetrans(resmgrd_t,resmgrd_var_run_t,{ file sock_file })
kernel_list_proc(resmgrd_t)
diff --git a/policy/modules/services/rhgb.te b/policy/modules/services/rhgb.te
index bd8681d7..3a5a3751 100644
--- a/policy/modules/services/rhgb.te
+++ b/policy/modules/services/rhgb.te
@@ -26,16 +26,16 @@ dontaudit rhgb_t self:capability sys_tty_config;
allow rhgb_t self:process { setpgid signal_perms };
allow rhgb_t self:shm create_shm_perms;
allow rhgb_t self:unix_stream_socket create_stream_socket_perms;
-allow rhgb_t self:fifo_file rw_file_perms;
+allow rhgb_t self:fifo_file rw_fifo_file_perms;
allow rhgb_t self:tcp_socket create_socket_perms;
allow rhgb_t self:udp_socket create_socket_perms;
allow rhgb_t self:netlink_route_socket r_netlink_socket_perms;
-allow rhgb_t rhgb_tmpfs_t:dir manage_dir_perms;
-allow rhgb_t rhgb_tmpfs_t:file manage_file_perms;
-allow rhgb_t rhgb_tmpfs_t:lnk_file create_lnk_perms;
-allow rhgb_t rhgb_tmpfs_t:sock_file manage_file_perms;
-allow rhgb_t rhgb_tmpfs_t:fifo_file manage_file_perms;
+manage_dirs_pattern(rhgb_t,rhgb_tmpfs_t,rhgb_tmpfs_t)
+manage_files_pattern(rhgb_t,rhgb_tmpfs_t,rhgb_tmpfs_t)
+manage_lnk_files_pattern(rhgb_t,rhgb_tmpfs_t,rhgb_tmpfs_t)
+manage_fifo_files_pattern(rhgb_t,rhgb_tmpfs_t,rhgb_tmpfs_t)
+manage_sock_files_pattern(rhgb_t,rhgb_tmpfs_t,rhgb_tmpfs_t)
fs_tmpfs_filetrans(rhgb_t,rhgb_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
kernel_read_kernel_sysctls(rhgb_t)
@@ -116,7 +116,7 @@ xserver_kill_xdm_xserver(rhgb_t)
xserver_read_xkb_libs(rhgb_t)
ifdef(`strict_policy',`
- allow rhgb_t rhgb_devpts_t:chr_file { rw_file_perms setattr };
+ allow rhgb_t rhgb_devpts_t:chr_file { rw_chr_file_perms setattr };
term_create_pty(rhgb_t,rhgb_devpts_t)
', `
files_dontaudit_read_root_files(rhgb_t)
diff --git a/policy/modules/services/ricci.if b/policy/modules/services/ricci.if
index 6355d50c..be4d4661 100644
--- a/policy/modules/services/ricci.if
+++ b/policy/modules/services/ricci.if
@@ -15,10 +15,7 @@ interface(`ricci_domtrans',`
type ricci_t, ricci_exec_t;
')
- domain_auto_trans($1,ricci_exec_t,ricci_t)
- allow ricci_t $1:fd use;
- allow ricci_t $1:fifo_file rw_file_perms;
- allow ricci_t $1:process sigchld;
+ domtrans_pattern($1,ricci_exec_t,ricci_t)
')
########################################
@@ -36,10 +33,7 @@ interface(`ricci_domtrans_modcluster',`
type ricci_modcluster_t, ricci_modcluster_exec_t;
')
- domain_auto_trans($1,ricci_modcluster_exec_t,ricci_modcluster_t)
- allow ricci_modcluster_t $1:fd use;
- allow ricci_modcluster_t $1:fifo_file rw_file_perms;
- allow ricci_modcluster_t $1:process sigchld;
+ domtrans_pattern($1,ricci_modcluster_exec_t,ricci_modcluster_t)
')
########################################
@@ -115,10 +109,7 @@ interface(`ricci_domtrans_modlog',`
type ricci_modlog_t, ricci_modlog_exec_t;
')
- domain_auto_trans($1,ricci_modlog_exec_t,ricci_modlog_t)
- allow ricci_modlog_t $1:fd use;
- allow ricci_modlog_t $1:fifo_file rw_file_perms;
- allow ricci_modlog_t $1:process sigchld;
+ domtrans_pattern($1,ricci_modlog_exec_t,ricci_modlog_t)
')
########################################
@@ -136,10 +127,7 @@ interface(`ricci_domtrans_modrpm',`
type ricci_modrpm_t, ricci_modrpm_exec_t;
')
- domain_auto_trans($1,ricci_modrpm_exec_t,ricci_modrpm_t)
- allow ricci_modrpm_t $1:fd use;
- allow ricci_modrpm_t $1:fifo_file rw_file_perms;
- allow ricci_modrpm_t $1:process sigchld;
+ domtrans_pattern($1,ricci_modrpm_exec_t,ricci_modrpm_t)
')
########################################
@@ -157,10 +145,7 @@ interface(`ricci_domtrans_modservice',`
type ricci_modservice_t, ricci_modservice_exec_t;
')
- domain_auto_trans($1,ricci_modservice_exec_t,ricci_modservice_t)
- allow ricci_modservice_t $1:fd use;
- allow ricci_modservice_t $1:fifo_file rw_file_perms;
- allow ricci_modservice_t $1:process sigchld;
+ domtrans_pattern($1,ricci_modservice_exec_t,ricci_modservice_t)
')
########################################
@@ -178,8 +163,5 @@ interface(`ricci_domtrans_modstorage',`
type ricci_modstorage_t, ricci_modstorage_exec_t;
')
- domain_auto_trans($1,ricci_modstorage_exec_t,ricci_modstorage_t)
- allow ricci_modstorage_t $1:fd use;
- allow ricci_modstorage_t $1:fifo_file rw_file_perms;
- allow ricci_modstorage_t $1:process sigchld;
+ domtrans_pattern($1,ricci_modstorage_exec_t,ricci_modstorage_t)
')
diff --git a/policy/modules/services/ricci.te b/policy/modules/services/ricci.te
index be60d82b..a72c7254 100644
--- a/policy/modules/services/ricci.te
+++ b/policy/modules/services/ricci.te
@@ -92,26 +92,25 @@ domain_auto_trans(ricci_t,ricci_modservice_exec_t,ricci_modservice_t)
domain_auto_trans(ricci_t,ricci_modstorage_exec_t,ricci_modstorage_t)
# tmp file
-allow ricci_t ricci_tmp_t:dir create_dir_perms;
-allow ricci_t ricci_tmp_t:file create_file_perms;
+manage_dirs_pattern(ricci_t,ricci_tmp_t,ricci_tmp_t)
+manage_files_pattern(ricci_t,ricci_tmp_t,ricci_tmp_t)
files_tmp_filetrans(ricci_t, ricci_tmp_t, { file dir })
# var/lib files for ricci
-allow ricci_t ricci_var_lib_t:file create_file_perms;
-allow ricci_t ricci_var_lib_t:sock_file create_file_perms;
-allow ricci_t ricci_var_lib_t:dir create_dir_perms;
+manage_dirs_pattern(ricci_t,ricci_var_lib_t,ricci_var_lib_t)
+manage_files_pattern(ricci_t,ricci_var_lib_t,ricci_var_lib_t)
+manage_sock_files_pattern(ricci_t,ricci_var_lib_t,ricci_var_lib_t)
files_var_lib_filetrans(ricci_t,ricci_var_lib_t, { file dir sock_file })
# log files
-allow ricci_t ricci_var_log_t:file create_file_perms;
-allow ricci_t ricci_var_log_t:sock_file create_file_perms;
-allow ricci_t ricci_var_log_t:dir { rw_dir_perms setattr };
+allow ricci_t ricci_var_log_t:dir setattr;
+manage_files_pattern(ricci_t,ricci_var_log_t,ricci_var_log_t)
+manage_sock_files_pattern(ricci_t,ricci_var_log_t,ricci_var_log_t)
logging_log_filetrans(ricci_t,ricci_var_log_t,{ sock_file file dir })
# pid file
-allow ricci_t ricci_var_run_t:file manage_file_perms;
-allow ricci_t ricci_var_run_t:sock_file manage_file_perms;
-allow ricci_t ricci_var_run_t:dir rw_dir_perms;
+manage_files_pattern(ricci_t,ricci_var_run_t,ricci_var_run_t)
+manage_sock_files_pattern(ricci_t,ricci_var_run_t,ricci_var_run_t)
files_pid_filetrans(ricci_t,ricci_var_run_t, { file sock_file })
kernel_read_kernel_sysctls(ricci_t)
@@ -202,7 +201,7 @@ optional_policy(`
allow ricci_modcluster_t self:capability sys_nice;
allow ricci_modcluster_t self:process setsched;
-allow ricci_modcluster_t self:fifo_file rw_file_perms;
+allow ricci_modcluster_t self:fifo_file rw_fifo_file_perms;
kernel_read_kernel_sysctls(ricci_modcluster_t)
kernel_read_system_state(ricci_modcluster_t)
@@ -266,7 +265,7 @@ unconfined_domain(ricci_modcluster_t)
allow ricci_modclusterd_t self:capability sys_nice;
allow ricci_modclusterd_t self:process { signal sigkill setsched };
-allow ricci_modclusterd_t self:fifo_file rw_file_perms;
+allow ricci_modclusterd_t self:fifo_file rw_fifo_file_perms;
allow ricci_modclusterd_t self:unix_stream_socket create_stream_socket_perms;
allow ricci_modclusterd_t self:tcp_socket create_stream_socket_perms;
allow ricci_modclusterd_t self:netlink_route_socket r_netlink_socket_perms;
@@ -276,15 +275,14 @@ allow ricci_modclusterd_t self:socket create_socket_perms;
allow ricci_modclusterd_t ricci_modcluster_t:unix_stream_socket connectto;
# log files
-allow ricci_modclusterd_t ricci_modcluster_var_log_t:file create_file_perms;
-allow ricci_modclusterd_t ricci_modcluster_var_log_t:sock_file create_file_perms;
-allow ricci_modclusterd_t ricci_modcluster_var_log_t:dir { rw_dir_perms setattr };
+allow ricci_modclusterd_t ricci_modcluster_var_log_t:dir setattr;
+manage_files_pattern(ricci_modclusterd_t,ricci_modcluster_var_log_t,ricci_modcluster_var_log_t)
+manage_sock_files_pattern(ricci_modclusterd_t,ricci_modcluster_var_log_t,ricci_modcluster_var_log_t)
logging_log_filetrans(ricci_modclusterd_t,ricci_modcluster_var_log_t,{ sock_file file dir })
# pid file
-allow ricci_modclusterd_t ricci_modcluster_var_run_t:file manage_file_perms;
-allow ricci_modclusterd_t ricci_modcluster_var_run_t:sock_file manage_file_perms;
-allow ricci_modclusterd_t ricci_modcluster_var_run_t:dir rw_dir_perms;
+manage_files_pattern(ricci_modclusterd_t,ricci_modcluster_var_run_t,ricci_modcluster_var_run_t)
+manage_sock_files_pattern(ricci_modclusterd_t,ricci_modcluster_var_run_t,ricci_modcluster_var_run_t)
files_pid_filetrans(ricci_modclusterd_t,ricci_modcluster_var_run_t, { file sock_file })
kernel_read_kernel_sysctls(ricci_modclusterd_t)
@@ -445,7 +443,7 @@ optional_policy(`
allow ricci_modstorage_t self:process { setsched signal };
allow ricci_modstorage_t self:capability { mknod sys_nice };
-allow ricci_modstorage_t self:fifo_file rw_file_perms;
+allow ricci_modstorage_t self:fifo_file rw_fifo_file_perms;
allow ricci_modstorage_t self:unix_dgram_socket create_socket_perms;
kernel_read_kernel_sysctls(ricci_modstorage_t)
diff --git a/policy/modules/services/rlogin.if b/policy/modules/services/rlogin.if
index 9326e5af..27bb9978 100644
--- a/policy/modules/services/rlogin.if
+++ b/policy/modules/services/rlogin.if
@@ -16,10 +16,5 @@ interface(`rlogin_domtrans',`
')
corecmd_search_sbin($1)
- domain_auto_trans($1,rlogind_exec_t,rlogind_t)
-
- allow $1 rlogind_t:fd use;
- allow rlogind_t $1:fd use;
- allow rlogind_t $1:fifo_file rw_file_perms;
- allow rlogind_t $1:process sigchld;
+ domtrans_pattern($1,rlogind_exec_t,rlogind_t)
')
diff --git a/policy/modules/services/rlogin.te b/policy/modules/services/rlogin.te
index b7bbcd7f..9fa8c6fc 100644
--- a/policy/modules/services/rlogin.te
+++ b/policy/modules/services/rlogin.te
@@ -27,24 +27,23 @@ files_pid_file(rlogind_var_run_t)
allow rlogind_t self:capability { fsetid chown fowner sys_tty_config dac_override };
allow rlogind_t self:process signal_perms;
-allow rlogind_t self:fifo_file rw_file_perms;
+allow rlogind_t self:fifo_file rw_fifo_file_perms;
allow rlogind_t self:tcp_socket connected_stream_socket_perms;
# for identd; cjp: this should probably only be inetd_child rules?
allow rlogind_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow rlogind_t self:capability { setuid setgid };
-allow rlogind_t rlogind_devpts_t:chr_file { rw_file_perms setattr };
+allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr };
term_create_pty(rlogind_t,rlogind_devpts_t)
# for /usr/lib/telnetlogin
can_exec(rlogind_t, rlogind_exec_t)
-allow rlogind_t rlogind_tmp_t:dir create_dir_perms;
-allow rlogind_t rlogind_tmp_t:file create_file_perms;
+manage_dirs_pattern(rlogind_t,rlogind_tmp_t,rlogind_tmp_t)
+manage_files_pattern(rlogind_t,rlogind_tmp_t,rlogind_tmp_t)
files_tmp_filetrans(rlogind_t, rlogind_tmp_t, { file dir })
-allow rlogind_t rlogind_var_run_t:file create_file_perms;
-allow rlogind_t rlogind_var_run_t:dir rw_dir_perms;
+manage_files_pattern(rlogind_t,rlogind_var_run_t,rlogind_var_run_t)
files_pid_filetrans(rlogind_t,rlogind_var_run_t,file)
kernel_read_kernel_sysctls(rlogind_t)
diff --git a/policy/modules/services/roundup.te b/policy/modules/services/roundup.te
index e9c66e40..5992ac85 100644
--- a/policy/modules/services/roundup.te
+++ b/policy/modules/services/roundup.te
@@ -28,14 +28,12 @@ allow roundup_t self:unix_stream_socket create_stream_socket_perms;
allow roundup_t self:tcp_socket create_stream_socket_perms;
allow roundup_t self:udp_socket create_socket_perms;
-allow roundup_t roundup_var_run_t:file create_file_perms;
-allow roundup_t roundup_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(roundup_t,roundup_var_run_t,file)
-
-allow roundup_t roundup_var_lib_t:file create_file_perms;
-allow roundup_t roundup_var_lib_t:dir rw_dir_perms;
+manage_files_pattern(roundup_t,roundup_var_lib_t,roundup_var_lib_t)
files_var_lib_filetrans(roundup_t,roundup_var_lib_t,file)
+manage_files_pattern(roundup_t,roundup_var_run_t,roundup_var_run_t)
+files_pid_filetrans(roundup_t,roundup_var_run_t,file)
+
kernel_read_kernel_sysctls(roundup_t)
kernel_list_proc(roundup_t)
kernel_read_proc_symlinks(roundup_t)
diff --git a/policy/modules/services/rpc.if b/policy/modules/services/rpc.if
index 30c32442..14440831 100644
--- a/policy/modules/services/rpc.if
+++ b/policy/modules/services/rpc.if
@@ -57,8 +57,8 @@ template(`rpc_domain_template', `
allow $1_t self:tcp_socket create_stream_socket_perms;
allow $1_t self:udp_socket create_socket_perms;
- allow $1_t var_lib_nfs_t:dir create_dir_perms;
- allow $1_t var_lib_nfs_t:file create_file_perms;
+ manage_dirs_pattern($1_t,var_lib_nfs_t,var_lib_nfs_t)
+ manage_files_pattern($1_t,var_lib_nfs_t,var_lib_nfs_t)
kernel_list_proc($1_t)
kernel_read_proc_symlinks($1_t)
@@ -184,7 +184,7 @@ interface(`rpc_read_exports',`
type exports_t;
')
- allow $1 exports_t:file r_file_perms;
+ allow $1 exports_t:file read_file_perms;
')
########################################
@@ -220,12 +220,7 @@ interface(`rpc_domtrans_nfsd',`
type nfsd_t, nfsd_exec_t;
')
- domain_auto_trans($1,nfsd_exec_t,nfsd_t)
-
- allow $1 nfsd_t:fd use;
- allow nfsd_t $1:fd use;
- allow nfsd_t $1:fifo_file rw_file_perms;
- allow nfsd_t $1:process sigchld;
+ domtrans_pattern($1,nfsd_exec_t,nfsd_t)
')
########################################
@@ -265,9 +260,9 @@ interface(`rpc_manage_nfs_rw_content',`
type nfsd_rw_t;
')
- allow $1 nfsd_rw_t:dir manage_dir_perms;
- allow $1 nfsd_rw_t:file manage_file_perms;
- allow $1 nfsd_rw_t:lnk_file create_lnk_perms;
+ manage_dirs_pattern($1,nfsd_rw_t,nfsd_rw_t)
+ manage_files_pattern($1,nfsd_rw_t,nfsd_rw_t)
+ manage_lnk_files_pattern($1,nfsd_rw_t,nfsd_rw_t)
')
########################################
@@ -286,9 +281,9 @@ interface(`rpc_manage_nfs_ro_content',`
type nfsd_ro_t;
')
- allow $1 nfsd_ro_t:dir manage_dir_perms;
- allow $1 nfsd_ro_t:file manage_file_perms;
- allow $1 nfsd_ro_t:lnk_file create_lnk_perms;
+ manage_dirs_pattern($1,nfsd_ro_t,nfsd_ro_t)
+ manage_files_pattern($1,nfsd_ro_t,nfsd_ro_t)
+ manage_lnk_files_pattern($1,nfsd_ro_t,nfsd_ro_t)
')
########################################
@@ -358,6 +353,5 @@ interface(`rpc_read_nfs_state_data',`
')
files_search_var_lib($1)
- allow $1 var_lib_nfs_t:dir search_dir_perms;
- allow $1 var_lib_nfs_t:file read_file_perms;
+ read_files_pattern($1,var_lib_nfs_t,var_lib_nfs_t)
')
diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
index 3e246fe8..57d2ac5f 100644
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@@ -38,10 +38,10 @@ files_mountpoint(var_lib_nfs_t)
#
allow rpcd_t self:capability { chown dac_override setgid setuid };
-allow rpcd_t self:fifo_file rw_file_perms;
+allow rpcd_t self:fifo_file rw_fifo_file_perms;
-allow rpcd_t rpcd_var_run_t:file manage_file_perms;
-allow rpcd_t rpcd_var_run_t:dir { rw_dir_perms setattr };
+allow rpcd_t rpcd_var_run_t:dir setattr;
+manage_files_pattern(rpcd_t,rpcd_var_run_t,rpcd_var_run_t)
files_pid_filetrans(rpcd_t,rpcd_var_run_t,file)
kernel_read_system_state(rpcd_t)
@@ -74,7 +74,7 @@ optional_policy(`
allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource };
allow nfsd_t exports_t:file { getattr read };
-allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir r_dir_perms;
+allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
# for /proc/fs/nfs/exports - should we have a new type?
kernel_read_system_state(nfsd_t)
@@ -124,8 +124,8 @@ allow gssd_t self:capability { dac_override dac_read_search setuid };
allow gssd_t self:process getsched;
allow gssd_t self:fifo_file { read write };
-allow gssd_t gssd_tmp_t:dir create_dir_perms;
-allow gssd_t gssd_tmp_t:file create_file_perms;
+manage_dirs_pattern(gssd_t,gssd_tmp_t,gssd_tmp_t)
+manage_files_pattern(gssd_t,gssd_tmp_t,gssd_tmp_t)
files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
kernel_read_network_state(gssd_t)
diff --git a/policy/modules/services/rshd.if b/policy/modules/services/rshd.if
index eefcd30d..2e7daee5 100644
--- a/policy/modules/services/rshd.if
+++ b/policy/modules/services/rshd.if
@@ -17,10 +17,5 @@ interface(`rshd_domtrans',`
files_search_usr($1)
corecmd_search_bin($1)
- domain_auto_trans($1,rshd_exec_t,rshd_t)
-
- allow $1 rshd_t:fd use;
- allow rshd_t $1:fd use;
- allow rshd_t $1:fifo_file rw_file_perms;
- allow rshd_t $1:process sigchld;
+ domtrans_pattern($1,rshd_exec_t,rshd_t)
')
diff --git a/policy/modules/services/rshd.te b/policy/modules/services/rshd.te
index 839bf928..e814bd30 100644
--- a/policy/modules/services/rshd.te
+++ b/policy/modules/services/rshd.te
@@ -18,7 +18,7 @@ role system_r types rshd_t;
#
allow rshd_t self:capability { setuid setgid fowner fsetid chown dac_override };
allow rshd_t self:process { signal_perms fork setsched setpgid setexec };
-allow rshd_t self:fifo_file rw_file_perms;
+allow rshd_t self:fifo_file rw_fifo_file_perms;
allow rshd_t self:tcp_socket create_stream_socket_perms;
kernel_read_kernel_sysctls(rshd_t)
diff --git a/policy/modules/services/rsync.te b/policy/modules/services/rsync.te
index 9064c2d3..51c1211c 100644
--- a/policy/modules/services/rsync.te
+++ b/policy/modules/services/rsync.te
@@ -27,7 +27,7 @@ files_pid_file(rsync_var_run_t)
allow rsync_t self:capability sys_chroot;
allow rsync_t self:process signal_perms;
-allow rsync_t self:fifo_file rw_file_perms;
+allow rsync_t self:fifo_file rw_fifo_file_perms;
allow rsync_t self:tcp_socket create_stream_socket_perms;
allow rsync_t self:udp_socket connected_socket_perms;
@@ -38,16 +38,15 @@ allow rsync_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow rsync_t self:capability { setuid setgid };
#end for identd
-allow rsync_t rsync_data_t:dir r_dir_perms;
-allow rsync_t rsync_data_t:file r_file_perms;
-allow rsync_t rsync_data_t:lnk_file r_file_perms;
+allow rsync_t rsync_data_t:dir list_dir_perms;
+read_files_pattern(rsync_t,rsync_data_t,rsync_data_t)
+read_lnk_files_pattern(rsync_t,rsync_data_t,rsync_data_t)
-allow rsync_t rsync_tmp_t:dir create_dir_perms;
-allow rsync_t rsync_tmp_t:file create_file_perms;
+manage_dirs_pattern(rsync_t,rsync_tmp_t,rsync_tmp_t)
+manage_files_pattern(rsync_t,rsync_tmp_t,rsync_tmp_t)
files_tmp_filetrans(rsync_t, rsync_tmp_t, { file dir })
-allow rsync_t rsync_var_run_t:file create_file_perms;
-allow rsync_t rsync_var_run_t:dir rw_dir_perms;
+manage_files_pattern(rsync_t,rsync_var_run_t,rsync_var_run_t)
files_pid_filetrans(rsync_t,rsync_var_run_t,file)
kernel_read_kernel_sysctls(rsync_t)
diff --git a/policy/modules/services/samba.if b/policy/modules/services/samba.if
index c2e220e5..3ecc275f 100644
--- a/policy/modules/services/samba.if
+++ b/policy/modules/services/samba.if
@@ -58,12 +58,7 @@ interface(`samba_domtrans_net',`
')
corecmd_search_bin($1)
- domain_auto_trans($1,samba_net_exec_t,samba_net_t)
-
- allow $1 samba_net_t:fd use;
- allow samba_net_t $1:fd use;
- allow samba_net_t $1:fifo_file rw_file_perms;
- allow samba_net_t $1:process sigchld;
+ domtrans_pattern($1,samba_net_exec_t,samba_net_t)
')
########################################
@@ -114,12 +109,7 @@ interface(`samba_domtrans_smbmount',`
')
corecmd_search_bin($1)
- domain_auto_trans($1,smbmount_exec_t,smbmount_t)
-
- allow $1 smbmount_t:fd use;
- allow smbmount_t $1:fd use;
- allow smbmount_t $1:fifo_file rw_file_perms;
- allow smbmount_t $1:process sigchld;
+ domtrans_pattern($1,smbmount_exec_t,smbmount_t)
')
########################################
@@ -140,8 +130,7 @@ interface(`samba_read_config',`
')
files_search_etc($1)
- allow $1 samba_etc_t:dir search_dir_perms;
- allow $1 samba_etc_t:file { read getattr lock };
+ read_files_pattern($1,samba_etc_t,samba_etc_t)
')
########################################
@@ -162,8 +151,7 @@ interface(`samba_rw_config',`
')
files_search_etc($1)
- allow $1 samba_etc_t:dir search_dir_perms;
- allow $1 samba_etc_t:file rw_file_perms;
+ rw_files_pattern($1,samba_etc_t,samba_etc_t)
')
########################################
@@ -183,8 +171,8 @@ interface(`samba_read_log',`
')
logging_search_logs($1)
- allow $1 samba_log_t:dir r_dir_perms;
- allow $1 samba_log_t:file { read getattr lock };
+ allow $1 samba_log_t:dir list_dir_perms;
+ read_files_pattern($1,samba_log_t,samba_log_t)
')
########################################
@@ -262,8 +250,7 @@ interface(`samba_rw_var_files',`
')
files_search_var($1)
- allow $1 samba_var_t:dir search_dir_perms;
- allow $1 samba_var_t:file rw_file_perms;
+ rw_files_pattern($1,samba_var_t,samba_var_t)
')
########################################
@@ -317,12 +304,7 @@ interface(`samba_domtrans_winbind_helper',`
type winbind_helper_t, winbind_helper_exec_t;
')
- domain_auto_trans($1,winbind_helper_exec_t,winbind_helper_t)
-
- allow $1 winbind_helper_t:fd use;
- allow winbind_helper_t $1:fd use;
- allow winbind_helper_t $1:fifo_file rw_file_perms;
- allow winbind_helper_t $1:process sigchld;
+ domtrans_pattern($1,winbind_helper_exec_t,winbind_helper_t)
')
########################################
@@ -373,7 +355,7 @@ interface(`samba_read_winbind_pid',`
')
files_search_pids($1)
- allow $1 winbind_var_run_t:file r_file_perms;
+ allow $1 winbind_var_run_t:file read_file_perms;
')
########################################
@@ -393,7 +375,5 @@ interface(`samba_stream_connect_winbind',`
files_search_pids($1)
allow $1 samba_var_t:dir search_dir_perms;
- allow $1 winbind_var_run_t:dir search_dir_perms;
- allow $1 winbind_var_run_t:sock_file { getattr read write };
- allow $1 winbind_t:unix_stream_socket connectto;
+ stream_connect_pattern($1,winbind_var_run_t,winbind_var_run_t,winbind_t)
')
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
index 7759850b..67490b92 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -96,19 +96,18 @@ allow samba_net_t self:unix_stream_socket create_stream_socket_perms;
allow samba_net_t self:udp_socket create_socket_perms;
allow samba_net_t self:tcp_socket create_socket_perms;
-allow samba_net_t samba_etc_t:file r_file_perms;
+allow samba_net_t samba_etc_t:file read_file_perms;
-allow samba_net_t samba_secrets_t:file create_file_perms;
-allow samba_net_t samba_etc_t:dir rw_dir_perms;
-type_transition samba_net_t samba_etc_t:file samba_secrets_t;
+manage_files_pattern(samba_net_t,samba_etc_t,samba_secrets_t)
+filetrans_pattern(samba_net_t,samba_etc_t,samba_secrets_t,file)
-allow samba_net_t samba_net_tmp_t:dir create_dir_perms;
-allow samba_net_t samba_net_tmp_t:file create_file_perms;
+manage_dirs_pattern(samba_net_t,samba_net_tmp_t,samba_net_tmp_t)
+manage_files_pattern(samba_net_t,samba_net_tmp_t,samba_net_tmp_t)
files_tmp_filetrans(samba_net_t, samba_net_tmp_t, { file dir })
allow samba_net_t samba_var_t:dir rw_dir_perms;
-allow samba_net_t samba_var_t:lnk_file create_lnk_perms;
-allow samba_net_t samba_var_t:file create_file_perms;
+manage_files_pattern(samba_net_t,samba_var_t,samba_var_t)
+manage_lnk_files_pattern(samba_net_t,samba_var_t,samba_var_t)
kernel_read_proc_symlinks(samba_net_t)
@@ -165,49 +164,49 @@ dontaudit smbd_t self:capability sys_tty_config;
allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow smbd_t self:process setrlimit;
allow smbd_t self:fd use;
-allow smbd_t self:fifo_file rw_file_perms;
+allow smbd_t self:fifo_file rw_fifo_file_perms;
allow smbd_t self:msg { send receive };
allow smbd_t self:msgq create_msgq_perms;
allow smbd_t self:sem create_sem_perms;
allow smbd_t self:shm create_shm_perms;
-allow smbd_t self:sock_file r_file_perms;
+allow smbd_t self:sock_file read_file_perms;
allow smbd_t self:tcp_socket create_stream_socket_perms;
allow smbd_t self:udp_socket create_socket_perms;
allow smbd_t self:unix_dgram_socket { create_socket_perms sendto };
allow smbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow smbd_t self:netlink_route_socket r_netlink_socket_perms;
-allow smbd_t samba_etc_t:dir rw_dir_perms;
allow smbd_t samba_etc_t:file { rw_file_perms setattr };
-allow smbd_t samba_log_t:dir { create ra_dir_perms setattr };
+create_dirs_pattern(smbd_t,samba_log_t,samba_log_t)
+create_files_pattern(smbd_t,samba_log_t,samba_log_t)
+append_files_pattern(smbd_t,samba_log_t,samba_log_t)
+allow smbd_t samba_log_t:dir setattr;
dontaudit smbd_t samba_log_t:dir remove_name;
-allow smbd_t samba_log_t:file { create ra_file_perms };
allow smbd_t samba_net_tmp_t:file getattr;
-allow smbd_t samba_secrets_t:dir rw_dir_perms;
-allow smbd_t samba_secrets_t:file create_file_perms;
-type_transition smbd_t samba_etc_t:file samba_secrets_t;
+manage_files_pattern(smbd_t,samba_secrets_t,samba_secrets_t)
+filetrans_pattern(smbd_t,samba_etc_t,samba_secrets_t,file)
-allow smbd_t samba_share_t:dir create_dir_perms;
-allow smbd_t samba_share_t:file create_file_perms;
-allow smbd_t samba_share_t:lnk_file create_lnk_perms;
+manage_dirs_pattern(smbd_t,samba_share_t,samba_share_t)
+manage_files_pattern(smbd_t,samba_share_t,samba_share_t)
+manage_lnk_files_pattern(smbd_t,samba_share_t,samba_share_t)
-allow smbd_t samba_var_t:dir create_dir_perms;
-allow smbd_t samba_var_t:file create_file_perms;
-allow smbd_t samba_var_t:lnk_file create_lnk_perms;
-allow smbd_t samba_var_t:sock_file create_file_perms;
+manage_dirs_pattern(smbd_t,samba_var_t,samba_var_t)
+manage_files_pattern(smbd_t,samba_var_t,samba_var_t)
+manage_lnk_files_pattern(smbd_t,samba_var_t,samba_var_t)
+manage_sock_files_pattern(smbd_t,samba_var_t,samba_var_t)
-allow smbd_t smbd_tmp_t:dir create_dir_perms;
-allow smbd_t smbd_tmp_t:file create_file_perms;
+manage_dirs_pattern(smbd_t,smbd_tmp_t,smbd_tmp_t)
+manage_files_pattern(smbd_t,smbd_tmp_t,smbd_tmp_t)
files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir })
allow smbd_t nmbd_var_run_t:file rw_file_perms;
-allow smbd_t smbd_var_run_t:dir create_dir_perms;
-allow smbd_t smbd_var_run_t:file create_file_perms;
-allow smbd_t smbd_var_run_t:sock_file create_file_perms;
+manage_dirs_pattern(smbd_t,smbd_var_run_t,smbd_var_run_t)
+manage_files_pattern(smbd_t,smbd_var_run_t,smbd_var_run_t)
+manage_sock_files_pattern(smbd_t,smbd_var_run_t,smbd_var_run_t)
files_pid_filetrans(smbd_t,smbd_var_run_t,file)
allow smbd_t winbind_var_run_t:sock_file { read write getattr };
@@ -330,29 +329,29 @@ optional_policy(`
dontaudit nmbd_t self:capability sys_tty_config;
allow nmbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow nmbd_t self:fd use;
-allow nmbd_t self:fifo_file rw_file_perms;
+allow nmbd_t self:fifo_file rw_fifo_file_perms;
allow nmbd_t self:msg { send receive };
allow nmbd_t self:msgq create_msgq_perms;
allow nmbd_t self:sem create_sem_perms;
allow nmbd_t self:shm create_shm_perms;
-allow nmbd_t self:sock_file r_file_perms;
+allow nmbd_t self:sock_file read_file_perms;
allow nmbd_t self:tcp_socket create_stream_socket_perms;
allow nmbd_t self:udp_socket create_socket_perms;
allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto };
allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
-allow nmbd_t nmbd_var_run_t:file create_file_perms;
-allow nmbd_t nmbd_var_run_t:dir rw_dir_perms;
+manage_files_pattern(nmbd_t,nmbd_var_run_t,nmbd_var_run_t)
files_pid_filetrans(nmbd_t,nmbd_var_run_t,file)
-allow nmbd_t samba_etc_t:dir { search getattr };
-allow nmbd_t samba_etc_t:file { getattr read };
+read_files_pattern(nmbd_t,samba_etc_t,samba_etc_t)
-allow nmbd_t samba_log_t:dir { create ra_dir_perms setattr };
-allow nmbd_t samba_log_t:file { create ra_file_perms };
+create_dirs_pattern(nmbd_t,samba_log_t,samba_log_t)
+append_files_pattern(nmbd_t,samba_log_t,samba_log_t)
+read_files_pattern(nmbd_t,samba_log_t,samba_log_t)
+create_files_pattern(nmbd_t,samba_log_t,samba_log_t)
+allow nmbd_t samba_log_t:dir setattr;
-allow nmbd_t samba_var_t:dir rw_dir_perms;
-allow nmbd_t samba_var_t:file { lock unlink create write setattr read getattr rename };
+manage_files_pattern(nmbd_t,samba_var_t,samba_var_t)
allow nmbd_t smbd_var_run_t:dir rw_dir_perms;
@@ -435,19 +434,19 @@ allow smbmount_t self:udp_socket connect;
allow smbmount_t self:unix_dgram_socket create_socket_perms;
allow smbmount_t self:unix_stream_socket create_socket_perms;
-allow smbmount_t samba_etc_t:dir r_dir_perms;
-allow smbmount_t samba_etc_t:file r_file_perms;
+allow smbmount_t samba_etc_t:dir list_dir_perms;
+allow smbmount_t samba_etc_t:file read_file_perms;
can_exec(smbmount_t, smbmount_exec_t)
-allow smbmount_t samba_log_t:dir r_dir_perms;
-allow smbmount_t samba_log_t:file create_file_perms;
+allow smbmount_t samba_log_t:dir list_dir_perms;
+allow smbmount_t samba_log_t:file manage_file_perms;
-allow smbmount_t samba_secrets_t:file create_file_perms;
+allow smbmount_t samba_secrets_t:file manage_file_perms;
allow smbmount_t samba_var_t:dir rw_dir_perms;
-allow smbmount_t samba_var_t:file create_file_perms;
-allow smbmount_t samba_var_t:lnk_file create_lnk_perms;
+manage_files_pattern(smbmount_t,samba_var_t,samba_var_t)
+manage_lnk_files_pattern(smbmount_t,samba_var_t,samba_var_t)
kernel_read_system_state(smbmount_t)
@@ -529,11 +528,9 @@ allow swat_t self:netlink_route_socket r_netlink_socket_perms;
allow swat_t nmbd_exec_t:file { execute read };
-allow swat_t samba_etc_t:dir search;
-allow swat_t samba_etc_t:file { getattr write read };
+rw_files_pattern(swat_t,samba_etc_t,samba_etc_t)
-allow swat_t samba_log_t:dir search;
-allow swat_t samba_log_t:file append;
+append_files_pattern(swat_t,samba_log_t,samba_log_t)
allow swat_t smbd_exec_t:file execute ;
@@ -541,12 +538,11 @@ allow swat_t smbd_t:process signull;
allow swat_t smbd_var_run_t:file read;
-allow swat_t swat_tmp_t:dir create_dir_perms;
-allow swat_t swat_tmp_t:file create_file_perms;
+manage_dirs_pattern(swat_t,swat_tmp_t,swat_tmp_t)
+manage_files_pattern(swat_t,swat_tmp_t,swat_tmp_t)
files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
-allow swat_t swat_var_run_t:file create_file_perms;
-allow swat_t swat_var_run_t:dir rw_dir_perms;
+manage_files_pattern(swat_t,swat_var_run_t,swat_var_run_t)
files_pid_filetrans(swat_t,swat_var_run_t,file)
allow swat_t winbind_exec_t:file execute;
@@ -625,32 +621,29 @@ allow winbind_t self:netlink_route_socket r_netlink_socket_perms;
allow winbind_t self:tcp_socket create_stream_socket_perms;
allow winbind_t self:udp_socket create_socket_perms;
-allow winbind_t samba_etc_t:dir r_dir_perms;
-allow winbind_t samba_etc_t:lnk_file { getattr read };
-allow winbind_t samba_etc_t:file r_file_perms;
+allow winbind_t samba_etc_t:dir list_dir_perms;
+read_files_pattern(winbind_t,samba_etc_t,samba_etc_t)
+read_lnk_files_pattern(winbind_t,samba_etc_t,samba_etc_t)
-allow winbind_t samba_secrets_t:file create_file_perms;
-allow winbind_t samba_etc_t:dir rw_dir_perms;
-type_transition winbind_t samba_etc_t:file samba_secrets_t;
+manage_files_pattern(winbind_t,samba_etc_t,samba_secrets_t)
+filetrans_pattern(winbind_t,samba_etc_t,samba_secrets_t,file)
-allow winbind_t samba_log_t:dir manage_dir_perms;
-allow winbind_t samba_log_t:file manage_file_perms;
-allow winbind_t samba_log_t:lnk_file create_lnk_perms;
+manage_dirs_pattern(winbind_t,samba_log_t,samba_log_t)
+manage_files_pattern(winbind_t,samba_log_t,samba_log_t)
+manage_lnk_files_pattern(winbind_t,samba_log_t,samba_log_t)
-allow winbind_t samba_var_t:dir rw_dir_perms;
-allow winbind_t samba_var_t:file create_file_perms;
-allow winbind_t samba_var_t:lnk_file create_lnk_perms;
+manage_files_pattern(winbind_t,samba_var_t,samba_var_t)
+manage_lnk_files_pattern(winbind_t,samba_var_t,samba_var_t)
-allow winbind_t winbind_log_t:file create_file_perms;
+allow winbind_t winbind_log_t:file manage_file_perms;
logging_log_filetrans(winbind_t,winbind_log_t,file)
-allow winbind_t winbind_tmp_t:dir create_dir_perms;
-allow winbind_t winbind_tmp_t:file create_file_perms;
+manage_dirs_pattern(winbind_t,winbind_tmp_t,winbind_tmp_t)
+manage_files_pattern(winbind_t,winbind_tmp_t,winbind_tmp_t)
files_tmp_filetrans(winbind_t, winbind_tmp_t, { file dir })
-allow winbind_t winbind_var_run_t:file create_file_perms;
-allow winbind_t winbind_var_run_t:sock_file create_file_perms;
-allow winbind_t winbind_var_run_t:dir rw_dir_perms;
+manage_files_pattern(winbind_t,winbind_var_run_t,winbind_var_run_t)
+manage_sock_files_pattern(winbind_t,winbind_var_run_t,winbind_var_run_t)
files_pid_filetrans(winbind_t,winbind_var_run_t,file)
kernel_read_kernel_sysctls(winbind_t)
@@ -731,15 +724,13 @@ optional_policy(`
allow winbind_helper_t self:unix_dgram_socket create_socket_perms;
allow winbind_helper_t self:unix_stream_socket create_stream_socket_perms;
-allow winbind_helper_t samba_etc_t:dir r_dir_perms;
-allow winbind_helper_t samba_etc_t:lnk_file { getattr read };
-allow winbind_helper_t samba_etc_t:file r_file_perms;
+allow winbind_helper_t samba_etc_t:dir list_dir_perms;
+read_files_pattern(winbind_helper_t,samba_etc_t,samba_etc_t)
+read_lnk_files_pattern(winbind_helper_t,samba_etc_t,samba_etc_t)
allow winbind_helper_t samba_var_t:dir search;
-allow winbind_helper_t winbind_var_run_t:dir r_dir_perms;
-allow winbind_helper_t winbind_var_run_t:sock_file { getattr read write };
-allow winbind_helper_t winbind_t:unix_stream_socket connectto;
+stream_connect_pattern(winbind_helper_t,winbind_var_run_t,winbind_var_run_t,winbind_t)
term_list_ptys(winbind_helper_t)
diff --git a/policy/modules/services/sasl.if b/policy/modules/services/sasl.if
index 60a8cfe1..756f40a7 100644
--- a/policy/modules/services/sasl.if
+++ b/policy/modules/services/sasl.if
@@ -16,7 +16,5 @@ interface(`sasl_connect',`
')
files_search_pids($1)
- allow $1 saslauthd_var_run_t:dir search;
- allow $1 saslauthd_var_run_t:sock_file { read write };
- allow $1 saslauthd_t:unix_stream_socket connectto;
+ stream_connect_pattern($1,saslauthd_var_run_t,saslauthd_var_run_t,saslauthd_t)
')
diff --git a/policy/modules/services/sasl.te b/policy/modules/services/sasl.te
index 77544c3d..7835fb36 100644
--- a/policy/modules/services/sasl.te
+++ b/policy/modules/services/sasl.te
@@ -26,9 +26,8 @@ allow saslauthd_t self:unix_dgram_socket create_socket_perms;
allow saslauthd_t self:unix_stream_socket create_stream_socket_perms;
allow saslauthd_t self:tcp_socket create_socket_perms;
-allow saslauthd_t saslauthd_var_run_t:file create_file_perms;
-allow saslauthd_t saslauthd_var_run_t:sock_file create_file_perms;
-allow saslauthd_t saslauthd_var_run_t:dir rw_dir_perms;
+manage_files_pattern(saslauthd_t,saslauthd_var_run_t,saslauthd_var_run_t)
+manage_sock_files_pattern(saslauthd_t,saslauthd_var_run_t,saslauthd_var_run_t)
files_pid_filetrans(saslauthd_t,saslauthd_var_run_t,file)
kernel_read_kernel_sysctls(saslauthd_t)
diff --git a/policy/modules/services/sendmail.te b/policy/modules/services/sendmail.te
index afbebeeb..e0d10d50 100644
--- a/policy/modules/services/sendmail.te
+++ b/policy/modules/services/sendmail.te
@@ -27,19 +27,19 @@ mta_mailserver_sender(sendmail_t)
allow sendmail_t self:capability { setuid setgid net_bind_service sys_nice chown sys_tty_config };
allow sendmail_t self:process signal;
-allow sendmail_t self:fifo_file rw_file_perms;
+allow sendmail_t self:fifo_file rw_fifo_file_perms;
allow sendmail_t self:unix_stream_socket create_stream_socket_perms;
allow sendmail_t self:unix_dgram_socket create_socket_perms;
allow sendmail_t self:tcp_socket create_stream_socket_perms;
allow sendmail_t self:udp_socket create_socket_perms;
allow sendmail_t self:netlink_route_socket r_netlink_socket_perms;
-allow sendmail_t sendmail_log_t:file create_file_perms;
-allow sendmail_t sendmail_log_t:dir { rw_dir_perms setattr };
+allow sendmail_t sendmail_log_t:dir setattr;
+manage_files_pattern(sendmail_t,sendmail_log_t,sendmail_log_t)
logging_log_filetrans(sendmail_t,sendmail_log_t,{ file dir })
-allow sendmail_t sendmail_tmp_t:dir manage_dir_perms;
-allow sendmail_t sendmail_tmp_t:file manage_file_perms;
+manage_dirs_pattern(sendmail_t,sendmail_tmp_t,sendmail_tmp_t)
+manage_files_pattern(sendmail_t,sendmail_tmp_t,sendmail_tmp_t)
files_tmp_filetrans(sendmail_t, sendmail_tmp_t, { file dir })
allow sendmail_t sendmail_var_run_t:file manage_file_perms;
@@ -142,10 +142,10 @@ optional_policy(`
ifdef(`TODO',`
allow sendmail_t etc_mail_t:dir rw_dir_perms;
-allow sendmail_t etc_mail_t:file create_file_perms;
+allow sendmail_t etc_mail_t:file manage_file_perms;
# for the start script to run make -C /etc/mail
allow initrc_t etc_mail_t:dir rw_dir_perms;
-allow initrc_t etc_mail_t:file create_file_perms;
+allow initrc_t etc_mail_t:file manage_file_perms;
allow system_mail_t initrc_t:fd use;
allow system_mail_t initrc_t:fifo_file write;
diff --git a/policy/modules/services/setroubleshoot.te b/policy/modules/services/setroubleshoot.te
index a67b52c8..d49664bc 100644
--- a/policy/modules/services/setroubleshoot.te
+++ b/policy/modules/services/setroubleshoot.te
@@ -29,27 +29,26 @@ files_pid_file(setroubleshoot_var_run_t)
allow setroubleshootd_t self:capability { dac_override sys_tty_config };
allow setroubleshootd_t self:process { signal getattr getsched };
-allow setroubleshootd_t self:fifo_file rw_file_perms;
+allow setroubleshootd_t self:fifo_file rw_fifo_file_perms;
allow setroubleshootd_t self:tcp_socket create_stream_socket_perms;
allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow setroubleshootd_t self:unix_dgram_socket create_socket_perms;
allow setroubleshootd_t self:netlink_route_socket r_netlink_socket_perms;
# database files
-allow setroubleshootd_t setroubleshoot_var_lib_t:file create_file_perms;
-allow setroubleshootd_t setroubleshoot_var_lib_t:dir { rw_dir_perms setattr };
+allow setroubleshootd_t setroubleshoot_var_lib_t:dir setattr;
+manage_files_pattern(setroubleshootd_t,setroubleshoot_var_lib_t,setroubleshoot_var_lib_t)
files_var_lib_filetrans(setroubleshootd_t,setroubleshoot_var_lib_t,{ file dir })
# log files
-allow setroubleshootd_t setroubleshoot_var_log_t:file manage_file_perms;
-allow setroubleshootd_t setroubleshoot_var_log_t:sock_file manage_file_perms;
-allow setroubleshootd_t setroubleshoot_var_log_t:dir { rw_dir_perms setattr };
+allow setroubleshootd_t setroubleshoot_var_log_t:dir setattr;
+manage_files_pattern(setroubleshootd_t,setroubleshoot_var_log_t,setroubleshoot_var_log_t)
+manage_sock_files_pattern(setroubleshootd_t,setroubleshoot_var_log_t,setroubleshoot_var_log_t)
logging_log_filetrans(setroubleshootd_t,setroubleshoot_var_log_t,{ file dir })
# pid file
-allow setroubleshootd_t setroubleshoot_var_run_t:file manage_file_perms;
-allow setroubleshootd_t setroubleshoot_var_run_t:sock_file manage_file_perms;
-allow setroubleshootd_t setroubleshoot_var_run_t:dir rw_dir_perms;
+manage_files_pattern(setroubleshootd_t,setroubleshoot_var_run_t,setroubleshoot_var_run_t)
+manage_sock_files_pattern(setroubleshootd_t,setroubleshoot_var_run_t,setroubleshoot_var_run_t)
files_pid_filetrans(setroubleshootd_t,setroubleshoot_var_run_t, { file sock_file })
kernel_read_kernel_sysctls(setroubleshootd_t)
diff --git a/policy/modules/services/slrnpull.if b/policy/modules/services/slrnpull.if
index bfac15a1..8ff82b3a 100644
--- a/policy/modules/services/slrnpull.if
+++ b/policy/modules/services/slrnpull.if
@@ -36,7 +36,7 @@ interface(`slrnpull_manage_spool',`
')
files_search_spool($1)
- allow $1 slrnpull_spool_t:dir create_dir_perms;
- allow $1 slrnpull_spool_t:file create_file_perms;
- allow $1 slrnpull_spool_t:lnk_file create_lnk_perms;
+ manage_dirs_pattern($1,slrnpull_spool_t,slrnpull_spool_t)
+ manage_files_pattern($1,slrnpull_spool_t,slrnpull_spool_t)
+ manage_lnk_files_pattern($1,slrnpull_spool_t,slrnpull_spool_t)
')
diff --git a/policy/modules/services/slrnpull.te b/policy/modules/services/slrnpull.te
index c7de93ad..ff0951cb 100644
--- a/policy/modules/services/slrnpull.te
+++ b/policy/modules/services/slrnpull.te
@@ -27,17 +27,15 @@ logging_log_file(slrnpull_log_t)
dontaudit slrnpull_t self:capability sys_tty_config;
allow slrnpull_t self:process signal_perms;
-allow slrnpull_t slrnpull_log_t:file create_file_perms;
+allow slrnpull_t slrnpull_log_t:file manage_file_perms;
logging_log_filetrans(slrnpull_t,slrnpull_log_t,file)
-allow slrnpull_t slrnpull_spool_t:dir rw_dir_perms;
-allow slrnpull_t slrnpull_spool_t:dir create_dir_perms;
-allow slrnpull_t slrnpull_spool_t:file create_file_perms;
-allow slrnpull_t slrnpull_spool_t:lnk_file create_lnk_perms;
+manage_dirs_pattern(slrnpull_t,slrnpull_spool_t,slrnpull_spool_t)
+manage_files_pattern(slrnpull_t,slrnpull_spool_t,slrnpull_spool_t)
+manage_lnk_files_pattern(slrnpull_t,slrnpull_spool_t,slrnpull_spool_t)
files_search_spool(slrnpull_t)
-allow slrnpull_t slrnpull_var_run_t:file create_file_perms;
-allow slrnpull_t slrnpull_var_run_t:dir rw_dir_perms;
+manage_files_pattern(slrnpull_t,slrnpull_var_run_t,slrnpull_var_run_t)
files_pid_filetrans(slrnpull_t,slrnpull_var_run_t,file)
kernel_list_proc(slrnpull_t)
diff --git a/policy/modules/services/smartmon.te b/policy/modules/services/smartmon.te
index 3ebbdcb3..91094fdf 100644
--- a/policy/modules/services/smartmon.te
+++ b/policy/modules/services/smartmon.te
@@ -24,17 +24,16 @@ files_tmp_file(fsdaemon_tmp_t)
allow fsdaemon_t self:capability { setgid sys_rawio sys_admin };
dontaudit fsdaemon_t self:capability sys_tty_config;
allow fsdaemon_t self:process signal_perms;
-allow fsdaemon_t self:fifo_file rw_file_perms;
+allow fsdaemon_t self:fifo_file rw_fifo_file_perms;
allow fsdaemon_t self:unix_dgram_socket create_socket_perms;
allow fsdaemon_t self:unix_stream_socket create_stream_socket_perms;
allow fsdaemon_t self:udp_socket create_socket_perms;
-allow fsdaemon_t fsdaemon_tmp_t:dir create_dir_perms;
-allow fsdaemon_t fsdaemon_tmp_t:file create_file_perms;
+manage_dirs_pattern(fsdaemon_t,fsdaemon_tmp_t,fsdaemon_tmp_t)
+manage_files_pattern(fsdaemon_t,fsdaemon_tmp_t,fsdaemon_tmp_t)
files_tmp_filetrans(fsdaemon_t, fsdaemon_tmp_t, { file dir })
-allow fsdaemon_t fsdaemon_var_run_t:file create_file_perms;
-allow fsdaemon_t fsdaemon_var_run_t:dir rw_dir_perms;
+manage_files_pattern(fsdaemon_t,fsdaemon_var_run_t,fsdaemon_var_run_t)
files_pid_filetrans(fsdaemon_t,fsdaemon_var_run_t,file)
kernel_read_kernel_sysctls(fsdaemon_t)
diff --git a/policy/modules/services/snmp.if b/policy/modules/services/snmp.if
index cbe73e44..a21eb212 100644
--- a/policy/modules/services/snmp.if
+++ b/policy/modules/services/snmp.if
@@ -42,9 +42,10 @@ interface(`snmp_read_snmp_var_lib_files',`
gen_require(`
type snmpd_var_lib_t;
')
- allow $1 snmpd_var_lib_t:dir r_dir_perms;
- allow $1 snmpd_var_lib_t:file r_file_perms;
- allow $1 snmpd_var_lib_t:lnk_file { getattr read };
+
+ allow $1 snmpd_var_lib_t:dir list_dir_perms;
+ read_files_pattern($1,snmpd_var_lib_t,snmpd_var_lib_t)
+ read_lnk_files_pattern($1,snmpd_var_lib_t,snmpd_var_lib_t)
')
########################################
@@ -61,7 +62,7 @@ interface(`snmp_dontaudit_read_snmp_var_lib_files',`
gen_require(`
type snmpd_var_lib_t;
')
- dontaudit $1 snmpd_var_lib_t:dir r_dir_perms;
- dontaudit $1 snmpd_var_lib_t:file r_file_perms;
+ dontaudit $1 snmpd_var_lib_t:dir list_dir_perms;
+ dontaudit $1 snmpd_var_lib_t:file read_file_perms;
dontaudit $1 snmpd_var_lib_t:lnk_file { getattr read };
')
diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te
index 2879796e..a4da0e33 100644
--- a/policy/modules/services/snmp.te
+++ b/policy/modules/services/snmp.te
@@ -27,7 +27,7 @@ files_type(snmpd_var_lib_t)
#
allow snmpd_t self:capability { dac_override kill net_admin sys_nice sys_tty_config };
dontaudit snmpd_t self:capability sys_tty_config;
-allow snmpd_t self:fifo_file rw_file_perms;
+allow snmpd_t self:fifo_file rw_fifo_file_perms;
allow snmpd_t self:unix_dgram_socket create_socket_perms;
allow snmpd_t self:unix_stream_socket create_stream_socket_perms;
allow snmpd_t self:tcp_socket create_stream_socket_perms;
@@ -35,18 +35,17 @@ allow snmpd_t self:udp_socket connected_stream_socket_perms;
allow snmpd_t snmpd_etc_t:file { getattr read };
-allow snmpd_t snmpd_log_t:file create_file_perms;
+allow snmpd_t snmpd_log_t:file manage_file_perms;
logging_log_filetrans(snmpd_t,snmpd_log_t,file)
-allow snmpd_t snmpd_var_lib_t:file create_file_perms;
-allow snmpd_t snmpd_var_lib_t:sock_file create_file_perms;
-allow snmpd_t snmpd_var_lib_t:dir create_dir_perms;
+manage_dirs_pattern(snmpd_t,snmpd_var_lib_t,snmpd_var_lib_t)
+manage_files_pattern(snmpd_t,snmpd_var_lib_t,snmpd_var_lib_t)
+manage_sock_files_pattern(snmpd_t,snmpd_var_lib_t,snmpd_var_lib_t)
files_usr_filetrans(snmpd_t,snmpd_var_lib_t,file)
files_var_filetrans(snmpd_t,snmpd_var_lib_t,{ file dir sock_file })
files_var_lib_filetrans(snmpd_t,snmpd_var_lib_t,file)
-allow snmpd_t snmpd_var_run_t:file create_file_perms;
-allow snmpd_t snmpd_var_run_t:dir rw_dir_perms;
+manage_files_pattern(snmpd_t,snmpd_var_run_t,snmpd_var_run_t)
files_pid_filetrans(snmpd_t,snmpd_var_run_t,file)
kernel_read_device_sysctls(snmpd_t)
diff --git a/policy/modules/services/snort.te b/policy/modules/services/snort.te
index 66ba191b..4acfeccc 100644
--- a/policy/modules/services/snort.te
+++ b/policy/modules/services/snort.te
@@ -35,20 +35,19 @@ allow snort_t self:tcp_socket create_stream_socket_perms;
allow snort_t self:udp_socket create_socket_perms;
allow snort_t self:packet_socket create_socket_perms;
-allow snort_t snort_etc_t:dir r_dir_perms;
-allow snort_t snort_etc_t:file r_file_perms;
+allow snort_t snort_etc_t:dir list_dir_perms;
+allow snort_t snort_etc_t:file read_file_perms;
allow snort_t snort_etc_t:lnk_file { getattr read };
-allow snort_t snort_log_t:file create_file_perms;
-allow snort_t snort_log_t:dir { create rw_dir_perms };
+manage_files_pattern(snort_t,snort_log_t,snort_log_t)
+create_dirs_pattern(snort_t,snort_log_t,snort_log_t)
logging_log_filetrans(snort_t,snort_log_t,{ file dir })
-allow snort_t snort_tmp_t:dir create_dir_perms;
-allow snort_t snort_tmp_t:file create_file_perms;
+manage_dirs_pattern(snort_t,snort_tmp_t,snort_tmp_t)
+manage_files_pattern(snort_t,snort_tmp_t,snort_tmp_t)
files_tmp_filetrans(snort_t, snort_tmp_t, { file dir })
-allow snort_t snort_var_run_t:file create_file_perms;
-allow snort_t snort_var_run_t:dir rw_dir_perms;
+manage_files_pattern(snort_t,snort_var_run_t,snort_var_run_t)
files_pid_filetrans(snort_t,snort_var_run_t,file)
kernel_read_kernel_sysctls(snort_t)
diff --git a/policy/modules/services/soundserver.te b/policy/modules/services/soundserver.te
index 83eef5ee..d43168c0 100644
--- a/policy/modules/services/soundserver.te
+++ b/policy/modules/services/soundserver.te
@@ -42,23 +42,20 @@ allow soundd_t soundd_etc_t:dir list_dir_perms;
allow soundd_t soundd_etc_t:file read_file_perms;
allow soundd_t soundd_etc_t:lnk_file { getattr read };
-allow soundd_t soundd_state_t:dir rw_dir_perms;
-allow soundd_t soundd_state_t:file manage_file_perms;
-allow soundd_t soundd_state_t:lnk_file create_lnk_perms;
+manage_files_pattern(soundd_t,soundd_state_t,soundd_state_t)
+manage_lnk_files_pattern(soundd_t,soundd_state_t,soundd_state_t)
-allow soundd_t soundd_tmp_t:dir manage_dir_perms;
-allow soundd_t soundd_tmp_t:file manage_file_perms;
+manage_dirs_pattern(soundd_t,soundd_tmp_t,soundd_tmp_t)
+manage_files_pattern(soundd_t,soundd_tmp_t,soundd_tmp_t)
files_tmp_filetrans(soundd_t, soundd_tmp_t, { file dir })
-allow soundd_t soundd_tmpfs_t:dir rw_dir_perms;
-allow soundd_t soundd_tmpfs_t:file manage_file_perms;
-allow soundd_t soundd_tmpfs_t:lnk_file create_lnk_perms;
-allow soundd_t soundd_tmpfs_t:sock_file manage_file_perms;
-allow soundd_t soundd_tmpfs_t:fifo_file manage_file_perms;
+manage_files_pattern(soundd_t,soundd_tmpfs_t,soundd_tmpfs_t)
+manage_lnk_files_pattern(soundd_t,soundd_tmpfs_t,soundd_tmpfs_t)
+manage_fifo_files_pattern(soundd_t,soundd_tmpfs_t,soundd_tmpfs_t)
+manage_sock_files_pattern(soundd_t,soundd_tmpfs_t,soundd_tmpfs_t)
fs_tmpfs_filetrans(soundd_t,soundd_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
-allow soundd_t soundd_var_run_t:file manage_file_perms;
-allow soundd_t soundd_var_run_t:dir rw_dir_perms;
+manage_files_pattern(soundd_t,soundd_var_run_t,soundd_var_run_t)
files_pid_filetrans(soundd_t,soundd_var_run_t,file)
kernel_read_kernel_sysctls(soundd_t)
diff --git a/policy/modules/services/spamassassin.if b/policy/modules/services/spamassassin.if
index 3ffdc696..46273d28 100644
--- a/policy/modules/services/spamassassin.if
+++ b/policy/modules/services/spamassassin.if
@@ -67,8 +67,8 @@ template(`spamassassin_per_role_template',`
allow $1_spamc_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow $1_spamc_t self:fd use;
- allow $1_spamc_t self:fifo_file rw_file_perms;
- allow $1_spamc_t self:sock_file r_file_perms;
+ allow $1_spamc_t self:fifo_file rw_fifo_file_perms;
+ allow $1_spamc_t self:sock_file read_sock_file_perms;
allow $1_spamc_t self:shm create_shm_perms;
allow $1_spamc_t self:sem create_sem_perms;
allow $1_spamc_t self:msgq create_msgq_perms;
@@ -80,19 +80,15 @@ template(`spamassassin_per_role_template',`
allow $1_spamc_t self:tcp_socket create_stream_socket_perms;
allow $1_spamc_t self:udp_socket create_socket_perms;
- allow $1_spamc_t $1_spamc_tmp_t:dir create_dir_perms;
- allow $1_spamc_t $1_spamc_tmp_t:file create_file_perms;
+ manage_dirs_pattern($1_spamc_t,$1_spamc_tmp_t,$1_spamc_tmp_t)
+ manage_files_pattern($1_spamc_t,$1_spamc_tmp_t,$1_spamc_tmp_t)
files_tmp_filetrans($1_spamc_t, $1_spamc_tmp_t, { file dir })
# Allow connecting to a local spamd
allow $1_spamc_t spamd_t:unix_stream_socket connectto;
allow $1_spamc_t spamd_tmp_t:sock_file rw_file_perms;
- domain_auto_trans($2, spamc_exec_t, $1_spamc_t)
- allow $2 $1_spamc_t:fd use;
- allow $1_spamc_t $2:fd use;
- allow $1_spamc_t $2:fifo_file rw_file_perms;
- allow $1_spamc_t $2:process sigchld;
+ domtrans_pattern($2, spamc_exec_t, $1_spamc_t)
kernel_read_kernel_sysctls($1_spamc_t)
@@ -180,8 +176,8 @@ template(`spamassassin_per_role_template',`
allow $1_spamassassin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow $1_spamassassin_t self:fd use;
- allow $1_spamassassin_t self:fifo_file rw_file_perms;
- allow $1_spamassassin_t self:sock_file r_file_perms;
+ allow $1_spamassassin_t self:fifo_file rw_fifo_file_perms;
+ allow $1_spamassassin_t self:sock_file read_sock_file_perms;
allow $1_spamassassin_t self:unix_dgram_socket create_socket_perms;
allow $1_spamassassin_t self:unix_stream_socket create_stream_socket_perms;
allow $1_spamassassin_t self:unix_dgram_socket sendto;
@@ -191,32 +187,31 @@ template(`spamassassin_per_role_template',`
allow $1_spamassassin_t self:msgq create_msgq_perms;
allow $1_spamassassin_t self:msg { send receive };
- allow $1_spamassassin_t $1_spamassassin_home_t:dir create_dir_perms;
- allow $1_spamassassin_t $1_spamassassin_home_t:file create_file_perms;
- allow $1_spamassassin_t $1_spamassassin_home_t:lnk_file create_lnk_perms;
- allow $1_spamassassin_t $1_spamassassin_home_t:sock_file create_file_perms;
- allow $1_spamassassin_t $1_spamassassin_home_t:fifo_file create_file_perms;
+ manage_dirs_pattern($1_spamassassin_t, $1_spamassassin_home_t,$1_spamassassin_home_t)
+ manage_files_pattern($1_spamassassin_t, $1_spamassassin_home_t,$1_spamassassin_home_t)
+ manage_lnk_files_pattern($1_spamassassin_t, $1_spamassassin_home_t,$1_spamassassin_home_t)
+ manage_fifo_files_pattern($1_spamassassin_t, $1_spamassassin_home_t,$1_spamassassin_home_t)
+ manage_sock_files_pattern($1_spamassassin_t, $1_spamassassin_home_t,$1_spamassassin_home_t)
userdom_user_home_dir_filetrans($1,$1_spamassassin_t,$1_spamassassin_home_t,{ dir file lnk_file sock_file fifo_file })
- allow $1_spamassassin_t $1_spamassassin_tmp_t:dir create_dir_perms;
- allow $1_spamassassin_t $1_spamassassin_tmp_t:file create_file_perms;
+ manage_dirs_pattern($1_spamassassin_t, $1_spamassassin_tmp_t,$1_spamassassin_tmp_t)
+ manage_files_pattern($1_spamassassin_t, $1_spamassassin_tmp_t,$1_spamassassin_tmp_t)
files_tmp_filetrans($1_spamassassin_t, $1_spamassassin_tmp_t, { file dir })
- allow $2 $1_spamassassin_home_t:dir { create_dir_perms relabelfrom relabelto };
- allow $2 $1_spamassassin_home_t:file { create_file_perms relabelfrom relabelto };
- allow $2 $1_spamassassin_home_t:lnk_file { create_lnk_perms relabelfrom relabelto };
+ manage_dirs_pattern($2, $1_spamassassin_home_t,$1_spamassassin_home_t)
+ manage_files_pattern($2, $1_spamassassin_home_t,$1_spamassassin_home_t)
+ manage_lnk_files_pattern($2, $1_spamassassin_home_t,$1_spamassassin_home_t)
+ relabel_dirs_pattern($2, $1_spamassassin_home_t,$1_spamassassin_home_t)
+ relabel_files_pattern($2, $1_spamassassin_home_t,$1_spamassassin_home_t)
+ relabel_lnk_files_pattern($2, $1_spamassassin_home_t,$1_spamassassin_home_t)
- domain_auto_trans($2, spamassassin_exec_t, $1_spamassassin_t)
- allow $2 $1_spamassassin_t:fd use;
- allow $1_spamassassin_t $2:fd use;
- allow $1_spamassassin_t $2:fifo_file rw_file_perms;
- allow $1_spamassassin_t $2:process sigchld;
+ domtrans_pattern($2, spamassassin_exec_t, $1_spamassassin_t)
- allow spamd_t $1_spamassassin_home_t:dir create_dir_perms;
- allow spamd_t $1_spamassassin_home_t:file create_file_perms;
- allow spamd_t $1_spamassassin_home_t:lnk_file create_lnk_perms;
- allow spamd_t $1_spamassassin_home_t:sock_file create_file_perms;
- allow spamd_t $1_spamassassin_home_t:fifo_file create_file_perms;
+ manage_dirs_pattern(spamd_t, $1_spamassassin_home_t,$1_spamassassin_home_t)
+ manage_files_pattern(spamd_t, $1_spamassassin_home_t,$1_spamassassin_home_t)
+ manage_lnk_files_pattern(spamd_t, $1_spamassassin_home_t,$1_spamassassin_home_t)
+ manage_fifo_files_pattern(spamd_t, $1_spamassassin_home_t,$1_spamassassin_home_t)
+ manage_sock_files_pattern(spamd_t, $1_spamassassin_home_t,$1_spamassassin_home_t)
userdom_user_home_dir_filetrans($1,spamd_t,$1_spamassassin_home_t,{ dir file lnk_file sock_file fifo_file })
kernel_read_kernel_sysctls($1_spamassassin_t)
@@ -409,12 +404,7 @@ template(`spamassassin_domtrans_user_client',`
type $1_spamc_t, spamc_exec_t;
')
- domain_auto_trans($2,spamc_exec_t,$1_spamc_t)
-
- allow $2 $1_spamc_t:fd use;
- allow $1_spamc_t $2:fd use;
- allow $1_spamc_t $2:fifo_file rw_file_perms;
- allow $1_spamc_t $2:process sigchld;
+ domtrans_pattern($2,spamc_exec_t,$1_spamc_t)
')
########################################
@@ -462,12 +452,7 @@ template(`spamassassin_domtrans_user_local_client',`
type $1_spamassassin_t, spamassassin_exec_t;
')
- domain_auto_trans($2,spamassassin_exec_t,$1_spamassassin_t)
-
- allow $2 $1_spamassassin_t:fd use;
- allow $1_spamassassin_t $2:fd use;
- allow $1_spamassassin_t $2:fifo_file rw_file_perms;
- allow $1_spamassassin_t $2:process sigchld;
+ domtrans_pattern($2,spamassassin_exec_t,$1_spamassassin_t)
')
########################################
@@ -485,7 +470,7 @@ interface(`spamassassin_read_spamd_tmp_files',`
type spamd_tmp_t;
')
- allow $1 spamd_tmp_t:file r_file_perms;
+ allow $1 spamd_tmp_t:file read_file_perms;
')
########################################
diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te
index 6b064b8b..d27e4617 100644
--- a/policy/modules/services/spamassassin.te
+++ b/policy/modules/services/spamassassin.te
@@ -39,8 +39,8 @@ allow spamd_t self:capability { setuid setgid dac_override sys_tty_config };
dontaudit spamd_t self:capability sys_tty_config;
allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow spamd_t self:fd use;
-allow spamd_t self:fifo_file rw_file_perms;
-allow spamd_t self:sock_file r_file_perms;
+allow spamd_t self:fifo_file rw_fifo_file_perms;
+allow spamd_t self:sock_file read_sock_file_perms;
allow spamd_t self:shm create_shm_perms;
allow spamd_t self:sem create_sem_perms;
allow spamd_t self:msgq create_msgq_perms;
@@ -53,16 +53,15 @@ allow spamd_t self:tcp_socket create_stream_socket_perms;
allow spamd_t self:udp_socket create_socket_perms;
allow spamd_t self:netlink_route_socket r_netlink_socket_perms;
-allow spamd_t spamd_spool_t:file create_file_perms;
-allow spamd_t spamd_spool_t:dir create_dir_perms;
+manage_dirs_pattern(spamd_t,spamd_spool_t,spamd_spool_t)
+manage_files_pattern(spamd_t,spamd_spool_t,spamd_spool_t)
files_spool_filetrans(spamd_t,spamd_spool_t, { file dir })
-allow spamd_t spamd_tmp_t:dir create_dir_perms;
-allow spamd_t spamd_tmp_t:file create_file_perms;
+manage_dirs_pattern(spamd_t,spamd_tmp_t,spamd_tmp_t)
+manage_files_pattern(spamd_t,spamd_tmp_t,spamd_tmp_t)
files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
-allow spamd_t spamd_var_run_t:file create_file_perms;
-allow spamd_t spamd_var_run_t:dir rw_dir_perms;
+manage_files_pattern(spamd_t,spamd_var_run_t,spamd_var_run_t)
files_pid_filetrans(spamd_t,spamd_var_run_t,file)
kernel_read_all_sysctls(spamd_t)
diff --git a/policy/modules/services/speedtouch.te b/policy/modules/services/speedtouch.te
index edf09cec..025d4a4d 100644
--- a/policy/modules/services/speedtouch.te
+++ b/policy/modules/services/speedtouch.te
@@ -24,12 +24,11 @@ files_pid_file(speedmgmt_var_run_t)
dontaudit speedmgmt_t self:capability sys_tty_config;
allow speedmgmt_t self:process signal_perms;
-allow speedmgmt_t speedmgmt_tmp_t:dir create_dir_perms;
-allow speedmgmt_t speedmgmt_tmp_t:file create_file_perms;
+manage_dirs_pattern(speedmgmt_t,speedmgmt_tmp_t,speedmgmt_tmp_t)
+manage_files_pattern(speedmgmt_t,speedmgmt_tmp_t,speedmgmt_tmp_t)
files_tmp_filetrans(speedmgmt_t, speedmgmt_tmp_t, { file dir })
-allow speedmgmt_t speedmgmt_var_run_t:file create_file_perms;
-allow speedmgmt_t speedmgmt_var_run_t:dir rw_dir_perms;
+manage_files_pattern(speedmgmt_t,speedmgmt_var_run_t,speedmgmt_var_run_t)
files_pid_filetrans(speedmgmt_t,speedmgmt_var_run_t,file)
kernel_read_kernel_sysctls(speedmgmt_t)
diff --git a/policy/modules/services/squid.if b/policy/modules/services/squid.if
index a819bfcc..465bb049 100644
--- a/policy/modules/services/squid.if
+++ b/policy/modules/services/squid.if
@@ -16,12 +16,7 @@ interface(`squid_domtrans',`
')
corecmd_search_sbin($1)
- domain_auto_trans($1,squid_exec_t,squid_t)
-
- allow $1 squid_t:fd use;
- allow squid_t $1:fd use;
- allow squid_t $1:fifo_file rw_file_perms;
- allow squid_t $1:process sigchld;
+ domtrans_pattern($1,squid_exec_t,squid_t)
')
########################################
@@ -41,7 +36,7 @@ interface(`squid_read_config',`
')
files_search_etc($1)
- allow $1 squid_conf_t:file r_file_perms;
+ allow $1 squid_conf_t:file read_file_perms;
')
########################################
@@ -61,8 +56,7 @@ interface(`squid_read_log',`
')
logging_search_logs($1)
- allow $1 squid_log_t:dir search_dir_perms;
- allow $1 squid_log_t:file r_file_perms;
+ read_files_pattern($1,squid_log_t,squid_log_t)
')
########################################
@@ -81,8 +75,7 @@ interface(`squid_append_log',`
')
logging_search_logs($1)
- allow $1 squid_log_t:dir search_dir_perms;
- allow $1 squid_log_t:file { getattr append };
+ append_files_pattern($1,squid_log_t,squid_log_t)
')
########################################
@@ -103,8 +96,7 @@ interface(`squid_manage_logs',`
')
logging_search_logs($1)
- allow $1 squid_log_t:dir rw_dir_perms;
- allow $1 squid_log_t:file create_file_perms;
+ manage_files_pattern($1,squid_log_t,squid_log_t)
')
########################################
diff --git a/policy/modules/services/squid.te b/policy/modules/services/squid.te
index 989c83d9..33ff7f46 100644
--- a/policy/modules/services/squid.te
+++ b/policy/modules/services/squid.te
@@ -31,8 +31,8 @@ files_pid_file(squid_var_run_t)
allow squid_t self:capability { setgid setuid dac_override sys_resource };
dontaudit squid_t self:capability sys_tty_config;
allow squid_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
-allow squid_t self:fifo_file rw_file_perms;
-allow squid_t self:sock_file r_file_perms;
+allow squid_t self:fifo_file rw_fifo_file_perms;
+allow squid_t self:sock_file read_sock_file_perms;
allow squid_t self:fd use;
allow squid_t self:shm create_shm_perms;
allow squid_t self:sem create_sem_perms;
@@ -46,22 +46,20 @@ allow squid_t self:tcp_socket create_stream_socket_perms;
allow squid_t self:udp_socket create_socket_perms;
# Grant permissions to create, access, and delete cache files.
-allow squid_t squid_cache_t:dir create_dir_perms;
-allow squid_t squid_cache_t:file create_file_perms;
-allow squid_t squid_cache_t:lnk_file create_lnk_perms;
+manage_dirs_pattern(squid_t,squid_cache_t,squid_cache_t)
+manage_files_pattern(squid_t,squid_cache_t,squid_cache_t)
+manage_lnk_files_pattern(squid_t,squid_cache_t,squid_cache_t)
-allow squid_t squid_conf_t:file r_file_perms;
-allow squid_t squid_conf_t:dir r_dir_perms;
-allow squid_t squid_conf_t:lnk_file read;
+allow squid_t squid_conf_t:dir list_dir_perms;
+read_files_pattern(squid_t,squid_conf_t,squid_conf_t)
+read_lnk_files_pattern(squid_t,squid_conf_t,squid_conf_t)
can_exec(squid_t,squid_exec_t)
-allow squid_t squid_log_t:file create_file_perms;
-allow squid_t squid_log_t:dir rw_dir_perms;
+manage_files_pattern(squid_t,squid_log_t,squid_log_t)
logging_log_filetrans(squid_t,squid_log_t,{ file dir })
-allow squid_t squid_var_run_t:file create_file_perms;
-allow squid_t squid_var_run_t:dir rw_dir_perms;
+manage_files_pattern(squid_t,squid_var_run_t,squid_var_run_t)
files_pid_filetrans(squid_t,squid_var_run_t,file)
kernel_read_kernel_sysctls(squid_t)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index d9e71ca0..ffc7eb8b 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -63,7 +63,7 @@ template(`ssh_basic_client_template',`
allow $1_ssh_t self:capability { setuid setgid dac_override dac_read_search };
allow $1_ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow $1_ssh_t self:fd use;
- allow $1_ssh_t self:fifo_file rw_file_perms;
+ allow $1_ssh_t self:fifo_file rw_fifo_file_perms;
allow $1_ssh_t self:unix_dgram_socket { create_socket_perms sendto };
allow $1_ssh_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow $1_ssh_t self:shm create_shm_perms;
@@ -78,14 +78,10 @@ template(`ssh_basic_client_template',`
allow $1_ssh_t $2:unix_stream_socket connectto;
# Read the ssh key file.
- allow $1_ssh_t sshd_key_t:file r_file_perms;
+ allow $1_ssh_t sshd_key_t:file read_file_perms;
# Transition from the domain to the derived domain.
- domain_auto_trans($2, ssh_exec_t, $1_ssh_t)
- allow $2 $1_ssh_t:fd use;
- allow $1_ssh_t $2:fd use;
- allow $1_ssh_t $2:fifo_file rw_file_perms;
- allow $1_ssh_t $2:process sigchld;
+ domtrans_pattern($2, ssh_exec_t, $1_ssh_t)
# inheriting stream sockets is needed for "ssh host command" as no pty
# is allocated
@@ -94,25 +90,21 @@ template(`ssh_basic_client_template',`
allow $2 ssh_server:unix_stream_socket rw_stream_socket_perms;
# allow ps to show ssh
- allow $2 $1_ssh_t:dir { search getattr read };
- allow $2 $1_ssh_t:{ file lnk_file } { read getattr };
- allow $2 $1_ssh_t:process getattr;
+ ps_process_pattern($2,$1_ssh_t)
# user can manage the keys and config
- allow $2 $1_home_ssh_t:dir rw_dir_perms;
- allow $2 $1_home_ssh_t:file create_file_perms;
- allow $2 $1_home_ssh_t:lnk_file create_lnk_perms;
- allow $2 $1_home_ssh_t:sock_file create_file_perms;
+ manage_files_pattern($2,$1_home_ssh_t,$1_home_ssh_t)
+ manage_lnk_files_pattern($2,$1_home_ssh_t,$1_home_ssh_t)
+ manage_sock_files_pattern($2,$1_home_ssh_t,$1_home_ssh_t)
# ssh client can manage the keys and config
- allow $1_ssh_t $1_home_ssh_t:dir r_dir_perms;
- allow $1_ssh_t $1_home_ssh_t:file create_file_perms;
- allow $1_ssh_t $1_home_ssh_t:lnk_file { getattr read };
+ manage_files_pattern($1_ssh_t,$1_home_ssh_t,$1_home_ssh_t)
+ read_lnk_files_pattern($1_ssh_t,$1_home_ssh_t,$1_home_ssh_t)
# ssh servers can read the user keys and config
- allow ssh_server $1_home_ssh_t:dir r_dir_perms;
- allow ssh_server $1_home_ssh_t:lnk_file r_file_perms;
- allow ssh_server $1_home_ssh_t:file r_file_perms;
+ allow ssh_server $1_home_ssh_t:dir list_dir_perms;
+ read_files_pattern(ssh_server,$1_home_ssh_t,$1_home_ssh_t)
+ read_lnk_files_pattern(ssh_server,$1_home_ssh_t,$1_home_ssh_t)
kernel_read_kernel_sysctls($1_ssh_t)
@@ -157,8 +149,8 @@ template(`ssh_basic_client_template',`
ifdef(`strict_policy',`
# Access the ssh temporary files.
- allow $1_ssh_t sshd_tmp_t:dir create_dir_perms;
- allow $1_ssh_t sshd_tmp_t:file create_file_perms;
+ allow $1_ssh_t sshd_tmp_t:dir manage_dir_perms;
+ allow $1_ssh_t sshd_tmp_t:file manage_file_perms;
files_tmp_filetrans($1_ssh_t, sshd_tmp_t, { file dir })
')
@@ -251,21 +243,18 @@ template(`ssh_per_role_template',`
# Client local policy
#
- allow $1_ssh_t $1_ssh_tmpfs_t:dir rw_dir_perms;
- allow $1_ssh_t $1_ssh_tmpfs_t:file manage_file_perms;
- allow $1_ssh_t $1_ssh_tmpfs_t:lnk_file create_lnk_perms;
- allow $1_ssh_t $1_ssh_tmpfs_t:sock_file manage_file_perms;
- allow $1_ssh_t $1_ssh_tmpfs_t:fifo_file manage_file_perms;
+ manage_files_pattern($1_ssh_t,$1_ssh_tmpfs_t,$1_ssh_tmpfs_t)
+ manage_lnk_files_pattern($1_ssh_t,$1_ssh_tmpfs_t,$1_ssh_tmpfs_t)
+ manage_fifo_files_pattern($1_ssh_t,$1_ssh_tmpfs_t,$1_ssh_tmpfs_t)
+ manage_sock_files_pattern($1_ssh_t,$1_ssh_tmpfs_t,$1_ssh_tmpfs_t)
fs_tmpfs_filetrans($1_ssh_t,$1_ssh_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
- allow $1_ssh_t $1_home_ssh_t:dir manage_dir_perms;
- allow $1_ssh_t $1_home_ssh_t:sock_file manage_file_perms;
+ manage_dirs_pattern($1_ssh_t,$1_home_ssh_t,$1_home_ssh_t)
+ manage_sock_files_pattern($1_ssh_t,$1_home_ssh_t,$1_home_ssh_t)
userdom_user_home_dir_filetrans($1,$1_ssh_t,$1_home_ssh_t,{ dir sock_file })
# Allow the ssh program to communicate with ssh-agent.
- allow $1_ssh_t $1_ssh_agent_t:unix_stream_socket connectto;
- allow $1_ssh_t $1_ssh_agent_tmp_t:sock_file write;
- allow $1_ssh_t $1_ssh_agent_tmp_t:dir search;
+ stream_connect_pattern($1_ssh_t,$1_ssh_agent_tmp_t,$1_ssh_agent_tmp_t,$1_ssh_agent_t)
allow $1_ssh_t sshd_t:unix_stream_socket connectto;
@@ -327,27 +316,20 @@ template(`ssh_per_role_template',`
allow $1_ssh_agent_t self:unix_stream_socket { create_stream_socket_perms connectto };
- allow $1_ssh_agent_t $1_ssh_agent_tmp_t:dir manage_dir_perms;
- allow $1_ssh_agent_t $1_ssh_agent_tmp_t:sock_file manage_file_perms;
+ manage_dirs_pattern($1_ssh_agent_t,$1_ssh_agent_tmp_t,$1_ssh_agent_tmp_t)
+ manage_sock_files_pattern($1_ssh_agent_t,$1_ssh_agent_tmp_t,$1_ssh_agent_tmp_t)
files_tmp_filetrans($1_ssh_agent_t,$1_ssh_agent_tmp_t,{ dir sock_file })
# for ssh-add
- allow $2 $1_ssh_agent_t:unix_stream_socket connectto;
- allow $2 $1_ssh_agent_tmp_t:sock_file write;
+ stream_connect_pattern($2,$1_ssh_agent_tmp_t,$1_ssh_agent_tmp_t,$1_ssh_agent_t)
# Allow the user shell to signal the ssh program.
allow $2 $1_ssh_agent_t:process signal;
# allow ps to show ssh
- allow $2 $1_ssh_agent_t:dir { search getattr read };
- allow $2 $1_ssh_agent_t:{ file lnk_file } { read getattr };
- allow $2 $1_ssh_agent_t:process getattr;
+ ps_process_pattern($2,$1_ssh_agent_t)
- domain_auto_trans($2, ssh_agent_exec_t, $1_ssh_agent_t)
- allow $2 $1_ssh_agent_t:fd use;
- allow $1_ssh_agent_t $2:fd use;
- allow $1_ssh_agent_t $2:fifo_file rw_file_perms;
- allow $1_ssh_agent_t $2:process sigchld;
+ domtrans_pattern($2, ssh_agent_exec_t, $1_ssh_agent_t)
kernel_read_kernel_sysctls($1_ssh_agent_t)
@@ -468,17 +450,17 @@ template(`ssh_server_template', `
files_pid_file($1_var_run_t)
allow $1_t self:capability { kill sys_chroot sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config };
- allow $1_t self:fifo_file rw_file_perms;
+ allow $1_t self:fifo_file rw_fifo_file_perms;
allow $1_t self:process { signal setsched setrlimit setexec };
allow $1_t self:tcp_socket create_stream_socket_perms;
allow $1_t self:udp_socket create_socket_perms;
# ssh agent connections:
allow $1_t self:unix_stream_socket create_stream_socket_perms;
- allow $1_t $1_devpts_t:chr_file { rw_file_perms setattr getattr relabelfrom };
+ allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom };
term_create_pty($1_t,$1_devpts_t)
- allow $1_t $1_var_run_t:file create_file_perms;
+ allow $1_t $1_var_run_t:file manage_file_perms;
files_pid_filetrans($1_t,$1_var_run_t,file)
can_exec($1_t, sshd_exec_t)
@@ -711,10 +693,7 @@ interface(`ssh_domtrans_keygen',`
type ssh_keygen_t, ssh_keygen_exec_t;
')
- domain_auto_trans($1,ssh_keygen_exec_t,ssh_keygen_t)
- allow ssh_keygen_t $1:fd use;
- allow ssh_keygen_t $1:fifo_file rw_file_perms;
- allow ssh_keygen_t $1:process sigchld;
+ domtrans_pattern($1,ssh_keygen_exec_t,ssh_keygen_t)
')
########################################
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 31ac75ff..1d1ee448 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -77,9 +77,9 @@ ifdef(`strict_policy',`
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };
- allow sshd_t sshd_tmp_t:dir create_dir_perms;
- allow sshd_t sshd_tmp_t:file create_file_perms;
- allow sshd_t sshd_tmp_t:sock_file create_file_perms;
+ manage_dirs_pattern(sshd_t,sshd_tmp_t,sshd_tmp_t)
+ manage_files_pattern(sshd_t,sshd_tmp_t,sshd_tmp_t)
+ manage_sock_files_pattern(sshd_t,sshd_tmp_t,sshd_tmp_t)
files_tmp_filetrans(sshd_t, sshd_tmp_t, { dir file sock_file })
kernel_link_key(sshd_t)
@@ -206,7 +206,7 @@ allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
-allow ssh_keygen_t sshd_key_t:file create_file_perms;
+allow ssh_keygen_t sshd_key_t:file manage_file_perms;
files_etc_filetrans(ssh_keygen_t,sshd_key_t,file)
kernel_read_kernel_sysctls(ssh_keygen_t)
diff --git a/policy/modules/services/stunnel.te b/policy/modules/services/stunnel.te
index eb1d2bba..c6d0070d 100644
--- a/policy/modules/services/stunnel.te
+++ b/policy/modules/services/stunnel.te
@@ -35,7 +35,7 @@ files_pid_file(stunnel_var_run_t)
allow stunnel_t self:capability { setgid setuid sys_chroot };
allow stunnel_t self:process signal_perms;
-allow stunnel_t self:fifo_file rw_file_perms;
+allow stunnel_t self:fifo_file rw_fifo_file_perms;
allow stunnel_t self:tcp_socket create_stream_socket_perms;
allow stunnel_t self:udp_socket create_socket_perms;
allow stunnel_t self:netlink_route_socket r_netlink_socket_perms;
@@ -44,12 +44,11 @@ allow stunnel_t stunnel_etc_t:dir { getattr read search };
allow stunnel_t stunnel_etc_t:file { read getattr };
allow stunnel_t stunnel_etc_t:lnk_file { getattr read };
-allow stunnel_t stunnel_tmp_t:dir create_dir_perms;
-allow stunnel_t stunnel_tmp_t:file create_file_perms;
+manage_dirs_pattern(stunnel_t,stunnel_tmp_t,stunnel_tmp_t)
+manage_files_pattern(stunnel_t,stunnel_tmp_t,stunnel_tmp_t)
files_tmp_filetrans(stunnel_t, stunnel_tmp_t, { file dir })
-allow stunnel_t stunnel_var_run_t:file create_file_perms;
-allow stunnel_t stunnel_var_run_t:dir rw_dir_perms;
+manage_files_pattern(stunnel_t,stunnel_var_run_t,stunnel_var_run_t)
files_pid_filetrans(stunnel_t,stunnel_var_run_t,file)
kernel_read_kernel_sysctls(stunnel_t)
diff --git a/policy/modules/services/sysstat.if b/policy/modules/services/sysstat.if
index a3beeadd..cc47dcd0 100644
--- a/policy/modules/services/sysstat.if
+++ b/policy/modules/services/sysstat.if
@@ -17,6 +17,5 @@ interface(`sysstat_manage_log',`
')
logging_search_logs($1)
- allow $1 sysstat_log_t:dir rw_dir_perms;
- allow $1 sysstat_log_t:file manage_file_perms;
+ manage_files_pattern($1,sysstat_log_t,sysstat_log_t)
')
diff --git a/policy/modules/services/sysstat.te b/policy/modules/services/sysstat.te
index 9d59df12..cffc4efc 100644
--- a/policy/modules/services/sysstat.te
+++ b/policy/modules/services/sysstat.te
@@ -21,12 +21,11 @@ logging_log_file(sysstat_log_t)
allow sysstat_t self:capability sys_resource;
dontaudit sysstat_t self:capability sys_admin;
-allow sysstat_t self:fifo_file rw_file_perms;
+allow sysstat_t self:fifo_file rw_fifo_file_perms;
can_exec(sysstat_t, sysstat_exec_t)
-allow sysstat_t sysstat_log_t:file create_file_perms;
-allow sysstat_t sysstat_log_t:dir rw_dir_perms;
+manage_files_pattern(sysstat_t,sysstat_log_t,sysstat_log_t)
logging_log_filetrans(sysstat_t,sysstat_log_t,{ file dir })
# get info from /proc
diff --git a/policy/modules/services/tcpd.if b/policy/modules/services/tcpd.if
index 16e8fb11..82958cf9 100644
--- a/policy/modules/services/tcpd.if
+++ b/policy/modules/services/tcpd.if
@@ -15,10 +15,5 @@ interface(`tcpd_domtrans',`
type tcpd_t, tcpd_exec_t;
')
- domain_auto_trans($1,tcpd_exec_t,tcpd_t)
-
- allow $1 tcpd_t:fd use;
- allow tcpd_t $1:fd use;
- allow tcpd_t $1:fifo_file rw_file_perms;
- allow tcpd_t $1:process sigchld;
+ domtrans_pattern($1,tcpd_exec_t,tcpd_t)
')
diff --git a/policy/modules/services/tcpd.te b/policy/modules/services/tcpd.te
index 75803f80..ce7592d3 100644
--- a/policy/modules/services/tcpd.te
+++ b/policy/modules/services/tcpd.te
@@ -19,8 +19,8 @@ files_tmp_file(tcpd_tmp_t)
#
allow tcpd_t self:tcp_socket create_stream_socket_perms;
-allow tcpd_t tcpd_tmp_t:dir create_dir_perms;
-allow tcpd_t tcpd_tmp_t:file create_file_perms;
+manage_dirs_pattern(tcpd_t,tcpd_tmp_t,tcpd_tmp_t)
+manage_files_pattern(tcpd_t,tcpd_tmp_t,tcpd_tmp_t)
files_tmp_filetrans(tcpd_t, tcpd_tmp_t, { file dir })
corenet_non_ipsec_sendrecv(tcpd_t)
diff --git a/policy/modules/services/telnet.te b/policy/modules/services/telnet.te
index 7f45edb0..d731e6b4 100644
--- a/policy/modules/services/telnet.te
+++ b/policy/modules/services/telnet.te
@@ -27,7 +27,7 @@ files_pid_file(telnetd_var_run_t)
allow telnetd_t self:capability { fsetid chown fowner sys_tty_config dac_override };
allow telnetd_t self:process signal_perms;
-allow telnetd_t self:fifo_file rw_file_perms;
+allow telnetd_t self:fifo_file rw_fifo_file_perms;
allow telnetd_t self:tcp_socket connected_stream_socket_perms;
allow telnetd_t self:udp_socket create_socket_perms;
# for identd; cjp: this should probably only be inetd_child rules?
@@ -35,15 +35,14 @@ allow telnetd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow telnetd_t self:netlink_route_socket r_netlink_socket_perms;
allow telnetd_t self:capability { setuid setgid };
-allow telnetd_t telnetd_devpts_t:chr_file { rw_file_perms setattr };
+allow telnetd_t telnetd_devpts_t:chr_file { rw_chr_file_perms setattr };
term_create_pty(telnetd_t,telnetd_devpts_t)
-allow telnetd_t telnetd_tmp_t:dir create_dir_perms;
-allow telnetd_t telnetd_tmp_t:file create_file_perms;
+manage_dirs_pattern(telnetd_t,telnetd_tmp_t,telnetd_tmp_t)
+manage_files_pattern(telnetd_t,telnetd_tmp_t,telnetd_tmp_t)
files_tmp_filetrans(telnetd_t, telnetd_tmp_t, { file dir })
-allow telnetd_t telnetd_var_run_t:file create_file_perms;
-allow telnetd_t telnetd_var_run_t:dir rw_dir_perms;
+manage_files_pattern(telnetd_t,telnetd_var_run_t,telnetd_var_run_t)
files_pid_filetrans(telnetd_t,telnetd_var_run_t,file)
kernel_read_kernel_sysctls(telnetd_t)
diff --git a/policy/modules/services/tftp.te b/policy/modules/services/tftp.te
index e3013b9c..5ed33183 100644
--- a/policy/modules/services/tftp.te
+++ b/policy/modules/services/tftp.te
@@ -32,8 +32,7 @@ allow tftpd_t tftpdir_t:dir { getattr read search };
allow tftpd_t tftpdir_t:file { read getattr };
allow tftpd_t tftpdir_t:lnk_file { getattr read };
-allow tftpd_t tftpd_var_run_t:file create_file_perms;
-allow tftpd_t tftpd_var_run_t:dir rw_dir_perms;
+manage_files_pattern(tftpd_t,tftpd_var_run_t,tftpd_var_run_t)
files_pid_filetrans(tftpd_t,tftpd_var_run_t,file)
kernel_read_kernel_sysctls(tftpd_t)
diff --git a/policy/modules/services/timidity.te b/policy/modules/services/timidity.te
index 4b908781..01b20a5e 100644
--- a/policy/modules/services/timidity.te
+++ b/policy/modules/services/timidity.te
@@ -28,11 +28,11 @@ allow timidity_t self:unix_stream_socket create_stream_socket_perms;
allow timidity_t self:tcp_socket create_stream_socket_perms;
allow timidity_t self:udp_socket create_socket_perms;
-allow timidity_t timidity_tmpfs_t:dir create_dir_perms;
-allow timidity_t timidity_tmpfs_t:file create_file_perms;
-allow timidity_t timidity_tmpfs_t:lnk_file create_lnk_perms;
-allow timidity_t timidity_tmpfs_t:sock_file create_file_perms;
-allow timidity_t timidity_tmpfs_t:fifo_file create_file_perms;
+manage_dirs_pattern(timidity_t,timidity_tmpfs_t,timidity_tmpfs_t)
+manage_files_pattern(timidity_t,timidity_tmpfs_t,timidity_tmpfs_t)
+manage_lnk_files_pattern(timidity_t,timidity_tmpfs_t,timidity_tmpfs_t)
+manage_fifo_files_pattern(timidity_t,timidity_tmpfs_t,timidity_tmpfs_t)
+manage_sock_files_pattern(timidity_t,timidity_tmpfs_t,timidity_tmpfs_t)
fs_tmpfs_filetrans(timidity_t,timidity_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
kernel_read_kernel_sysctls(timidity_t)
diff --git a/policy/modules/services/tor.if b/policy/modules/services/tor.if
index 7427b97f..5c9fd025 100644
--- a/policy/modules/services/tor.if
+++ b/policy/modules/services/tor.if
@@ -15,10 +15,5 @@ interface(`tor_domtrans',`
type tor_t, tor_exec_t;
')
- domain_auto_trans($1,tor_exec_t,tor_t)
-
- allow $1 tor_t:fd use;
- allow tor_t $1:fd use;
- allow tor_t $1:fifo_file rw_file_perms;
- allow tor_t $1:process sigchld;
+ domtrans_pattern($1,tor_exec_t,tor_t)
')
diff --git a/policy/modules/services/tor.te b/policy/modules/services/tor.te
index 4688c1bf..09bd8a5f 100644
--- a/policy/modules/services/tor.te
+++ b/policy/modules/services/tor.te
@@ -37,28 +37,27 @@ allow tor_t self:netlink_route_socket r_netlink_socket_perms;
allow tor_t self:tcp_socket create_stream_socket_perms;
# configuration files
-allow tor_t tor_etc_t:dir r_dir_perms;
-allow tor_t tor_etc_t:file r_file_perms;
-allow tor_t tor_etc_t:lnk_file { getattr read };
+allow tor_t tor_etc_t:dir list_dir_perms;
+read_files_pattern(tor_t,tor_etc_t,tor_etc_t)
+read_lnk_files_pattern(tor_t,tor_etc_t,tor_etc_t)
# var/lib/tor files
-allow tor_t tor_var_lib_t:file create_file_perms;
-allow tor_t tor_var_lib_t:sock_file create_file_perms;
-allow tor_t tor_var_lib_t:dir create_dir_perms;
+manage_dirs_pattern(tor_t,tor_var_lib_t,tor_var_lib_t)
+manage_files_pattern(tor_t,tor_var_lib_t,tor_var_lib_t)
+manage_sock_files_pattern(tor_t,tor_var_lib_t,tor_var_lib_t)
files_usr_filetrans(tor_t,tor_var_lib_t,file)
files_var_filetrans(tor_t,tor_var_lib_t,{ file dir sock_file })
files_var_lib_filetrans(tor_t,tor_var_lib_t,file)
# log files
-allow tor_t tor_var_log_t:file create_file_perms;
-allow tor_t tor_var_log_t:sock_file create_file_perms;
-allow tor_t tor_var_log_t:dir { rw_dir_perms setattr };
+allow tor_t tor_var_log_t:dir setattr;
+manage_files_pattern(tor_t,tor_var_log_t,tor_var_log_t)
+manage_sock_files_pattern(tor_t,tor_var_log_t,tor_var_log_t)
logging_log_filetrans(tor_t,tor_var_log_t,{ sock_file file dir })
# pid file
-allow tor_t tor_var_run_t:file manage_file_perms;
-allow tor_t tor_var_run_t:sock_file manage_file_perms;
-allow tor_t tor_var_run_t:dir rw_dir_perms;
+manage_files_pattern(tor_t,tor_var_run_t,tor_var_run_t)
+manage_sock_files_pattern(tor_t,tor_var_run_t,tor_var_run_t)
files_pid_filetrans(tor_t,tor_var_run_t, { file sock_file })
kernel_read_system_state(tor_t)
diff --git a/policy/modules/services/transproxy.te b/policy/modules/services/transproxy.te
index cf35e987..ba4c2b2d 100644
--- a/policy/modules/services/transproxy.te
+++ b/policy/modules/services/transproxy.te
@@ -23,8 +23,7 @@ dontaudit transproxy_t self:capability sys_tty_config;
allow transproxy_t self:process signal_perms;
allow transproxy_t self:tcp_socket create_stream_socket_perms;
-allow transproxy_t transproxy_var_run_t:file create_file_perms;
-allow transproxy_t transproxy_var_run_t:dir rw_dir_perms;
+manage_files_pattern(transproxy_t,transproxy_var_run_t,transproxy_var_run_t)
files_pid_filetrans(transproxy_t,transproxy_var_run_t,file)
kernel_read_kernel_sysctls(transproxy_t)
diff --git a/policy/modules/services/ucspitcp.if b/policy/modules/services/ucspitcp.if
index 03f11c51..259c13eb 100644
--- a/policy/modules/services/ucspitcp.if
+++ b/policy/modules/services/ucspitcp.if
@@ -32,9 +32,7 @@ interface(`ucspitcp_service_domain', `
role system_r types $1;
domain_auto_trans(ucspitcp_t, $2, $1)
-
allow $1 ucspitcp_t:fd use;
allow $1 ucspitcp_t:process sigchld;
allow $1 ucspitcp_t:tcp_socket rw_stream_socket_perms;
')
-
diff --git a/policy/modules/services/ucspitcp.te b/policy/modules/services/ucspitcp.te
index e514e5d1..04650f7b 100644
--- a/policy/modules/services/ucspitcp.te
+++ b/policy/modules/services/ucspitcp.te
@@ -23,8 +23,6 @@ role system_r types ucspitcp_t;
ucspitcp_service_domain(rblsmtpd_t, rblsmtpd_exec_t)
-allow rblsmtpd_t self:process { fork sigchld };
-
corecmd_search_bin(rblsmtpd_t)
corenet_tcp_sendrecv_all_if(rblsmtpd_t)
diff --git a/policy/modules/services/uptime.te b/policy/modules/services/uptime.te
index 0e024603..433c59d2 100644
--- a/policy/modules/services/uptime.te
+++ b/policy/modules/services/uptime.te
@@ -33,12 +33,11 @@ files_search_etc(uptimed_t)
allow uptimed_t uptimed_spool_t:file manage_file_perms;
-allow uptimed_t uptimed_var_run_t:file manage_file_perms;
-allow uptimed_t uptimed_var_run_t:dir rw_dir_perms;
+manage_files_pattern(uptimed_t,uptimed_var_run_t,uptimed_var_run_t)
files_pid_filetrans(uptimed_t,uptimed_var_run_t,file)
-allow uptimed_t uptimed_spool_t:dir manage_dir_perms;
-allow uptimed_t uptimed_spool_t:file manage_file_perms;
+manage_dirs_pattern(uptimed_t,uptimed_spool_t,uptimed_spool_t)
+manage_files_pattern(uptimed_t,uptimed_spool_t,uptimed_spool_t)
files_spool_filetrans(uptimed_t,uptimed_spool_t,{ dir file })
kernel_read_system_state(uptimed_t)
diff --git a/policy/modules/services/uucp.if b/policy/modules/services/uucp.if
index 7b7dbfae..57d483d2 100644
--- a/policy/modules/services/uucp.if
+++ b/policy/modules/services/uucp.if
@@ -17,8 +17,8 @@ interface(`uucp_append_log',`
')
logging_search_logs($1)
- allow $1 uucpd_log_t:dir r_dir_perms;
- allow $1 uucpd_log_t:file { append getattr };
+ allow $1 uucpd_log_t:dir list_dir_perms;
+ append_files_pattern($1,uucpd_log_t,uucpd_log_t)
')
########################################
@@ -37,9 +37,9 @@ interface(`uucp_manage_spool',`
')
files_search_spool($1)
- allow $1 uucpd_spool_t:dir manage_dir_perms;
- allow $1 uucpd_spool_t:lnk_file create_lnk_perms;
- allow $1 uucpd_spool_t:file manage_file_perms;
+ manage_dirs_pattern($1,uucpd_spool_t,uucpd_spool_t)
+ manage_files_pattern($1,uucpd_spool_t,uucpd_spool_t)
+ manage_lnk_files_pattern($1,uucpd_spool_t,uucpd_spool_t)
')
########################################
@@ -58,9 +58,5 @@ interface(`uucp_domtrans_uux',`
type uux_t, uux_exec_t;
')
- domain_auto_trans($1,uux_exec_t,uux_t)
-
- allow uux_t $1:fd use;
- allow uux_t $1:fifo_file rw_file_perms;
- allow uux_t $1:process sigchld;
+ domtrans_pattern($1,uux_exec_t,uux_t)
')
diff --git a/policy/modules/services/uucp.te b/policy/modules/services/uucp.te
index 40dc8ecf..271d1d7e 100644
--- a/policy/modules/services/uucp.te
+++ b/policy/modules/services/uucp.te
@@ -40,31 +40,30 @@ role system_r types uux_t;
#
allow uucpd_t self:capability { setuid setgid };
allow uucpd_t self:process signal_perms;
-allow uucpd_t self:fifo_file rw_file_perms;
+allow uucpd_t self:fifo_file rw_fifo_file_perms;
allow uucpd_t self:tcp_socket connected_stream_socket_perms;
allow uucpd_t self:udp_socket create_socket_perms;
allow uucpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
-allow uucpd_t uucpd_log_t:file create_file_perms;
-allow uucpd_t uucpd_log_t:dir { rw_dir_perms setattr };
+allow uucpd_t uucpd_log_t:dir setattr;
+manage_files_pattern(uucpd_t,uucpd_log_t,uucpd_log_t)
logging_log_filetrans(uucpd_t,uucpd_log_t,{ file dir })
-allow uucpd_t uucpd_ro_t:dir r_dir_perms;
-allow uucpd_t uucpd_ro_t:file r_file_perms;
-allow uucpd_t uucpd_ro_t:lnk_file { getattr read };
+allow uucpd_t uucpd_ro_t:dir list_dir_perms;
+read_files_pattern(uucpd_t,uucpd_ro_t,uucpd_ro_t)
+read_lnk_files_pattern(uucpd_t,uucpd_ro_t,uucpd_ro_t)
-allow uucpd_t uucpd_rw_t:dir create_dir_perms;
-allow uucpd_t uucpd_rw_t:file create_file_perms;
-allow uucpd_t uucpd_rw_t:lnk_file create_lnk_perms;
+manage_dirs_pattern(uucpd_t,uucpd_rw_t,uucpd_rw_t)
+manage_files_pattern(uucpd_t,uucpd_rw_t,uucpd_rw_t)
+manage_lnk_files_pattern(uucpd_t,uucpd_rw_t,uucpd_rw_t)
uucp_manage_spool(uucpd_t)
-allow uucpd_t uucpd_tmp_t:dir create_dir_perms;
-allow uucpd_t uucpd_tmp_t:file create_file_perms;
+manage_dirs_pattern(uucpd_t,uucpd_tmp_t,uucpd_tmp_t)
+manage_files_pattern(uucpd_t,uucpd_tmp_t,uucpd_tmp_t)
files_tmp_filetrans(uucpd_t, uucpd_tmp_t, { file dir })
-allow uucpd_t uucpd_var_run_t:file create_file_perms;
-allow uucpd_t uucpd_var_run_t:dir rw_dir_perms;
+manage_files_pattern(uucpd_t,uucpd_var_run_t,uucpd_var_run_t)
files_pid_filetrans(uucpd_t,uucpd_var_run_t,file)
kernel_read_kernel_sysctls(uucpd_t)
diff --git a/policy/modules/services/uwimap.if b/policy/modules/services/uwimap.if
index f228be9e..276996ce 100644
--- a/policy/modules/services/uwimap.if
+++ b/policy/modules/services/uwimap.if
@@ -16,10 +16,5 @@ interface(`uwimap_domtrans',`
')
corecmd_search_sbin($1)
- domain_auto_trans($1,imapd_exec_t,imapd_t)
-
- allow $1 imapd_t:fd use;
- allow imapd_t $1:fd use;
- allow imapd_t $1:fifo_file rw_file_perms;
- allow imapd_t $1:process sigchld;
+ domtrans_pattern($1,imapd_exec_t,imapd_t)
')
diff --git a/policy/modules/services/uwimap.te b/policy/modules/services/uwimap.te
index 408c09d6..08cb8fab 100644
--- a/policy/modules/services/uwimap.te
+++ b/policy/modules/services/uwimap.te
@@ -25,15 +25,14 @@ files_pid_file(imapd_var_run_t)
allow imapd_t self:capability { dac_override net_bind_service setgid setuid sys_resource };
dontaudit imapd_t self:capability sys_tty_config;
allow imapd_t self:process signal_perms;
-allow imapd_t self:fifo_file rw_file_perms;
+allow imapd_t self:fifo_file rw_fifo_file_perms;
allow imapd_t self:tcp_socket create_stream_socket_perms;
-allow imapd_t imapd_tmp_t:dir create_dir_perms;
-allow imapd_t imapd_tmp_t:file create_file_perms;
+manage_dirs_pattern(imapd_t,imapd_tmp_t,imapd_tmp_t)
+manage_files_pattern(imapd_t,imapd_tmp_t,imapd_tmp_t)
files_tmp_filetrans(imapd_t, imapd_tmp_t, { file dir })
-allow imapd_t imapd_var_run_t:file create_file_perms;
-allow imapd_t imapd_var_run_t:dir rw_dir_perms;
+manage_files_pattern(imapd_t,imapd_var_run_t,imapd_var_run_t)
files_pid_filetrans(imapd_t,imapd_var_run_t,file)
kernel_read_kernel_sysctls(imapd_t)
diff --git a/policy/modules/services/watchdog.te b/policy/modules/services/watchdog.te
index 98650759..3c277f08 100644
--- a/policy/modules/services/watchdog.te
+++ b/policy/modules/services/watchdog.te
@@ -24,16 +24,15 @@ files_pid_file(watchdog_var_run_t)
allow watchdog_t self:capability { sys_admin net_admin sys_boot ipc_lock sys_pacct sys_nice sys_resource };
dontaudit watchdog_t self:capability sys_tty_config;
allow watchdog_t self:process { setsched signal_perms };
-allow watchdog_t self:fifo_file rw_file_perms;
+allow watchdog_t self:fifo_file rw_fifo_file_perms;
allow watchdog_t self:unix_stream_socket create_socket_perms;
allow watchdog_t self:tcp_socket create_stream_socket_perms;
allow watchdog_t self:udp_socket create_socket_perms;
-allow watchdog_t watchdog_log_t:file create_file_perms;
+allow watchdog_t watchdog_log_t:file manage_file_perms;
logging_log_filetrans(watchdog_t,watchdog_log_t,file)
-allow watchdog_t watchdog_var_run_t:file create_file_perms;
-allow watchdog_t watchdog_var_run_t:dir rw_dir_perms;
+manage_files_pattern(watchdog_t,watchdog_var_run_t,watchdog_var_run_t)
files_pid_filetrans(watchdog_t,watchdog_var_run_t,file)
kernel_read_system_state(watchdog_t)
diff --git a/policy/modules/services/xfs.if b/policy/modules/services/xfs.if
index d8bf4d1e..9513df32 100644
--- a/policy/modules/services/xfs.if
+++ b/policy/modules/services/xfs.if
@@ -16,8 +16,7 @@ interface(`xfs_read_sockets',`
')
files_search_tmp($1)
- allow $1 xfs_tmp_t:dir search;
- allow $1 xfs_tmp_t:sock_file { getattr read };
+ read_sock_files_pattern($1,xfs_tmp_t,xfs_tmp_t)
')
########################################
@@ -37,12 +36,9 @@ interface(`xfs_stream_connect',`
')
files_search_tmp($1)
- allow $1 xfs_tmp_t:dir search;
- allow $1 xfs_tmp_t:sock_file write;
- allow $1 xfs_t:unix_stream_socket connectto;
+ stream_connect_pattern($1,xfs_tmp_t,xfs_tmp_t,xfs_t)
')
-
########################################
##
## Allow the specified domain to execute xfs
diff --git a/policy/modules/services/xfs.te b/policy/modules/services/xfs.te
index d32efafd..f1691794 100644
--- a/policy/modules/services/xfs.te
+++ b/policy/modules/services/xfs.te
@@ -27,18 +27,13 @@ allow xfs_t self:process { signal_perms setpgid };
allow xfs_t self:unix_stream_socket create_stream_socket_perms;
allow xfs_t self:unix_dgram_socket create_socket_perms;
-allow xfs_t xfs_tmp_t:dir create_dir_perms;
-allow xfs_t xfs_tmp_t:sock_file create_file_perms;
+manage_dirs_pattern(xfs_t,xfs_tmp_t,xfs_tmp_t)
+manage_sock_files_pattern(xfs_t,xfs_tmp_t,xfs_tmp_t)
files_tmp_filetrans(xfs_t, xfs_tmp_t, { sock_file dir })
-allow xfs_t xfs_var_run_t:file create_file_perms;
-allow xfs_t xfs_var_run_t:dir rw_dir_perms;
+manage_files_pattern(xfs_t,xfs_var_run_t,xfs_var_run_t)
files_pid_filetrans(xfs_t,xfs_var_run_t,file)
-# Bind to /tmp/.font-unix/fs-1.
-# cjp: I do not believe this has an effect.
-allow xfs_t xfs_tmp_t:unix_stream_socket name_bind;
-
kernel_read_kernel_sysctls(xfs_t)
kernel_read_system_state(xfs_t)
diff --git a/policy/modules/services/xprint.te b/policy/modules/services/xprint.te
index b9f7ba23..09128789 100644
--- a/policy/modules/services/xprint.te
+++ b/policy/modules/services/xprint.te
@@ -24,8 +24,7 @@ allow xprint_t self:fifo_file rw_file_perms;
allow xprint_t self:tcp_socket create_stream_socket_perms;
allow xprint_t self:udp_socket create_socket_perms;
-allow xprint_t xprint_var_run_t:file create_file_perms;
-allow xprint_t xprint_var_run_t:dir rw_dir_perms;
+manage_files_pattern(xprint_t,xprint_var_run_t,xprint_var_run_t)
files_pid_filetrans(xprint_t,xprint_var_run_t,file)
kernel_read_system_state(xprint_t)
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index 52b8ee41..46bbc135 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -49,8 +49,8 @@ template(`xserver_common_domain_template',`
dontaudit $1_xserver_t self:capability chown;
allow $1_xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow $1_xserver_t self:fd use;
- allow $1_xserver_t self:fifo_file rw_file_perms;
- allow $1_xserver_t self:sock_file r_file_perms;
+ allow $1_xserver_t self:fifo_file rw_fifo_file_perms;
+ allow $1_xserver_t self:sock_file read_sock_file_perms;
allow $1_xserver_t self:shm create_shm_perms;
allow $1_xserver_t self:sem create_sem_perms;
allow $1_xserver_t self:msgq create_msgq_perms;
@@ -61,29 +61,26 @@ template(`xserver_common_domain_template',`
allow $1_xserver_t self:tcp_socket create_stream_socket_perms;
allow $1_xserver_t self:udp_socket create_socket_perms;
- allow $1_xserver_t $1_xserver_tmp_t:dir manage_dir_perms;
- allow $1_xserver_t $1_xserver_tmp_t:file manage_file_perms;
- allow $1_xserver_t $1_xserver_tmp_t:sock_file manage_file_perms;
+ manage_dirs_pattern($1_xserver_t,$1_xserver_tmp_t,$1_xserver_tmp_t)
+ manage_files_pattern($1_xserver_t,$1_xserver_tmp_t,$1_xserver_tmp_t)
+ manage_sock_files_pattern($1_xserver_t,$1_xserver_tmp_t,$1_xserver_tmp_t)
files_tmp_filetrans($1_xserver_t, $1_xserver_tmp_t, { file dir sock_file })
- allow $1_xserver_t xdm_xserver_tmp_t:dir rw_dir_perms;
- type_transition $1_xserver_t xdm_xserver_tmp_t:sock_file $1_xserver_tmp_t;
+ filetrans_pattern($1_xserver_t,xdm_xserver_tmp_t,$1_xserver_tmp_t,sock_file)
- allow $1_xserver_t $1_xserver_tmpfs_t:dir manage_dir_perms;
- allow $1_xserver_t $1_xserver_tmpfs_t:file manage_file_perms;
- allow $1_xserver_t $1_xserver_tmpfs_t:lnk_file create_lnk_perms;
- allow $1_xserver_t $1_xserver_tmpfs_t:sock_file manage_file_perms;
- allow $1_xserver_t $1_xserver_tmpfs_t:fifo_file manage_file_perms;
+ manage_dirs_pattern($1_xserver_t,$1_xserver_tmpfs_t,$1_xserver_tmpfs_t)
+ manage_files_pattern($1_xserver_t,$1_xserver_tmpfs_t,$1_xserver_tmpfs_t)
+ manage_lnk_files_pattern($1_xserver_t,$1_xserver_tmpfs_t,$1_xserver_tmpfs_t)
+ manage_fifo_files_pattern($1_xserver_t,$1_xserver_tmpfs_t,$1_xserver_tmpfs_t)
+ manage_sock_files_pattern($1_xserver_t,$1_xserver_tmpfs_t,$1_xserver_tmpfs_t)
fs_tmpfs_filetrans($1_xserver_t,$1_xserver_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
- allow $1_xserver_t xkb_var_lib_t:dir rw_dir_perms;
- allow $1_xserver_t xkb_var_lib_t:file manage_file_perms;
- allow $1_xserver_t xkb_var_lib_t:lnk_file create_lnk_perms;
+ manage_files_pattern($1_xserver_t,xkb_var_lib_t,xkb_var_lib_t)
+ manage_lnk_files_pattern($1_xserver_t,xkb_var_lib_t,xkb_var_lib_t)
files_search_var_lib($1_xserver_t)
# Create files in /var/log with the xserver_log_t type.
- allow $1_xserver_t xserver_log_t:file manage_file_perms;
- allow $1_xserver_t xserver_log_t:dir r_dir_perms;
+ manage_files_pattern($1_xserver_t,xserver_log_t,xserver_log_t)
logging_log_filetrans($1_xserver_t,xserver_log_t,file)
kernel_read_system_state($1_xserver_t)
@@ -273,36 +270,28 @@ template(`xserver_per_role_template',`
# $1_xserver_t Local policy
#
- domain_auto_trans($1_xserver_t, xauth_exec_t, $1_xauth_t)
- allow $1_xserver_t $1_xauth_t:fd use;
- allow $1_xauth_t $1_xserver_t:fd use;
- allow $1_xauth_t $1_xserver_t:fifo_file rw_file_perms;
- allow $1_xauth_t $1_xserver_t:process sigchld;
+ domtrans_pattern($1_xserver_t, xauth_exec_t, $1_xauth_t)
allow $1_xserver_t $1_xauth_home_t:file { getattr read };
- domain_auto_trans($2, xserver_exec_t, $1_xserver_t)
- allow $2 $1_xserver_t:fd use;
- allow $1_xserver_t $2:fd use;
- allow $1_xserver_t $2:fifo_file rw_file_perms;
- allow $1_xserver_t $2:process { signal sigchld };
+ domtrans_pattern($2, xserver_exec_t, $1_xserver_t)
+ allow $1_xserver_t $2:process signal;
allow $1_xserver_t $2:shm rw_shm_perms;
- allow $2 $1_fonts_t:dir manage_dir_perms;
- allow $2 $1_fonts_t:file manage_file_perms;
- allow $2 $1_fonts_t:{ dir file } { relabelto relabelfrom };
+ manage_dirs_pattern($2,$1_fonts_t,$1_fonts_t)
+ manage_files_pattern($2,$1_fonts_t,$1_fonts_t)
+ relabel_dirs_pattern($2,$1_fonts_t,$1_fonts_t)
+ relabel_files_pattern($2,$1_fonts_t,$1_fonts_t)
- allow $2 $1_fonts_config_t:dir manage_dir_perms;
- allow $2 $1_fonts_config_t:file manage_file_perms;
- allow $2 $1_fonts_config_t:file { relabelto relabelfrom };
+ manage_dirs_pattern($2,$1_fonts_config_t,$1_fonts_config_t)
+ manage_files_pattern($2,$1_fonts_config_t,$1_fonts_config_t)
+ relabel_files_pattern($2,$1_fonts_config_t,$1_fonts_config_t)
# For startup relabel
allow $2 $1_fonts_cache_t:{ dir file } { relabelto relabelfrom };
- allow $2 $1_xserver_tmp_t:dir r_dir_perms;
- allow $2 $1_xserver_tmp_t:sock_file rw_file_perms;
- allow $2 $1_xserver_t:unix_stream_socket connectto;
+ stream_connect_pattern($2,$1_xserver_tmp_t,$1_xserver_tmp_t,$1_xserver_t)
allow $2 $1_xserver_tmpfs_t:file rw_file_perms;
@@ -343,22 +332,16 @@ template(`xserver_per_role_template',`
allow $1_xauth_t $1_xauth_home_t:file manage_file_perms;
userdom_user_home_dir_filetrans($1,$1_xauth_t,$1_xauth_home_t,file)
- allow $1_xauth_t $1_xauth_tmp_t:dir create_dir_perms;
- allow $1_xauth_t $1_xauth_tmp_t:file create_file_perms;
+ manage_dirs_pattern($1_xauth_t,$1_xauth_tmp_t,$1_xauth_tmp_t)
+ manage_files_pattern($1_xauth_t,$1_xauth_tmp_t,$1_xauth_tmp_t)
files_tmp_filetrans($1_xauth_t, $1_xauth_tmp_t, { file dir })
- domain_auto_trans($2, xauth_exec_t, $1_xauth_t)
- allow $2 $1_xauth_t:fd use;
- allow $1_xauth_t $2:fd use;
- allow $1_xauth_t $2:fifo_file rw_file_perms;
- allow $1_xauth_t $2:process sigchld;
+ domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
allow $2 $1_xauth_t:process signal;
# allow ps to show xauth
- allow $2 $1_xauth_t:dir { search getattr read };
- allow $2 $1_xauth_t:{ file lnk_file } { read getattr };
- allow $2 $1_xauth_t:process getattr;
+ ps_process_pattern($2,$1_xauth_t)
allow $2 $1_xauth_home_t:file manage_file_perms;
allow $2 $1_xauth_home_t:file { relabelfrom relabelto };
@@ -408,19 +391,13 @@ template(`xserver_per_role_template',`
# $1_iceauth_t Local policy
#
- domain_auto_trans($2, iceauth_exec_t, $1_iceauth_t)
- allow $2 $1_iceauth_t:fd use;
- allow $1_iceauth_t $2:fd use;
- allow $1_iceauth_t $2:fifo_file rw_file_perms;
- allow $1_iceauth_t $2:process sigchld;
+ domtrans_pattern($2, iceauth_exec_t, $1_iceauth_t)
allow $1_iceauth_t $1_iceauth_home_t:file manage_file_perms;
userdom_user_home_dir_filetrans($1,$1_iceauth_t,$1_iceauth_home_t,file)
# allow ps to show iceauth
- allow $2 $1_iceauth_t:dir { search getattr read };
- allow $2 $1_iceauth_t:{ file lnk_file } { read getattr };
- allow $2 $1_iceauth_t:process getattr;
+ ps_process_pattern($2,$1_iceauth_t)
allow $2 $1_iceauth_home_t:file manage_file_perms;
allow $2 $1_iceauth_home_t:file { relabelfrom relabelto };
@@ -485,7 +462,7 @@ template(`xserver_ro_session_template',`
# Client read xserver shm
allow $2 $1_xserver_t:fd use;
allow $2 $1_xserver_t:shm r_shm_perms;
- allow $2 $1_xserver_tmpfs_t:file r_file_perms;
+ allow $2 $1_xserver_tmpfs_t:file read_file_perms;
')
#######################################
@@ -622,8 +599,8 @@ template(`xserver_use_user_fonts',`
allow $2 $1_fonts_t:file read_file_perms;
# Manipulate the global font cache
- allow $2 $1_fonts_cache_t:dir manage_dir_perms;
- allow $2 $1_fonts_cache_t:file manage_file_perms;
+ manage_dirs_pattern($2,$1_fonts_cache_t,$1_fonts_cache_t)
+ manage_files_pattern($2,$1_fonts_cache_t,$1_fonts_cache_t)
# Read per user font config
allow $2 $1_fonts_config_t:dir list_dir_perms;
@@ -662,11 +639,7 @@ template(`xserver_domtrans_user_xauth',`
type $1_xauth_t, xauth_exec_t;
')
- domain_auto_trans($2, xauth_exec_t, $1_xauth_t)
- allow $2 $1_xauth_t:fd use;
- allow $1_xauth_t $2:fd use;
- allow $1_xauth_t $2:fifo_file rw_file_perms;
- allow $1_xauth_t $2:process sigchld;
+ domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
')
########################################
@@ -690,8 +663,8 @@ interface(`xserver_use_all_users_fonts',`
allow $1 fonts_type:file read_file_perms;
# Manipulate the global font cache
- allow $1 fonts_cache_type:dir manage_dir_perms;
- allow $1 fonts_cache_type:file manage_file_perms;
+ manage_dirs_pattern($1,fonts_cache_type,fonts_cache_type)
+ manage_files_pattern($1,fonts_cache_type,fonts_cache_type)
# Read per user font config
allow $1 fonts_config_type:dir list_dir_perms;
@@ -828,9 +801,7 @@ interface(`xserver_stream_connect_xdm',`
')
files_search_tmp($1)
- allow $1 xdm_tmp_t:dir search_dir_perms;
- allow $1 xdm_tmp_t:sock_file write;
- allow $1 xdm_t:unix_stream_socket connectto;
+ stream_connect_pattern($1,xdm_tmp_t,xdm_tmp_t,xdm_t)
')
########################################
@@ -849,7 +820,7 @@ interface(`xserver_read_xdm_rw_config',`
')
files_search_etc($1)
- allow $1 xdm_rw_etc_t:dir { getattr read };
+ allow $1 xdm_rw_etc_t:file { getattr read };
')
########################################
@@ -887,8 +858,8 @@ interface(`xserver_create_xdm_tmp_sockets',`
')
files_search_tmp($1)
- allow $1 xdm_tmp_t:dir ra_dir_perms;
- allow $1 xdm_tmp_t:sock_file create;
+ allow $1 xdm_tmp_t:dir list_dir_perms;
+ create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t)
')
########################################
@@ -907,7 +878,7 @@ interface(`xserver_read_xdm_pid',`
')
files_search_pids($1)
- allow $1 xdm_var_run_t:file r_file_perms;
+ allow $1 xdm_var_run_t:file read_file_perms;
')
########################################
@@ -943,12 +914,7 @@ interface(`xserver_domtrans_xdm_xserver',`
type xdm_xserver_t, xserver_exec_t;
')
- domain_auto_trans($1,xserver_exec_t,xdm_xserver_t)
-
- allow $1 xdm_xserver_t:fd use;
- allow xdm_xserver_t $1:fd use;
- allow xdm_xserver_t $1:fifo_file rw_file_perms;
- allow xdm_xserver_t $1:process sigchld;
+ domtrans_pattern($1,xserver_exec_t,xdm_xserver_t)
')
########################################
@@ -1061,8 +1027,8 @@ interface(`xserver_delete_log',`
')
logging_search_logs($1)
- allow $1 xserver_log_t:dir rw_dir_perms;
- allow $1 xserver_log_t:file unlink;
+ allow $1 xserver_log_t:dir list_dir_perms;
+ delete_files_pattern($1,xserver_log_t,xserver_log_t)
')
########################################
@@ -1082,8 +1048,8 @@ interface(`xserver_read_xkb_libs',`
files_search_var_lib($1)
allow $1 xkb_var_lib_t:dir list_dir_perms;
- allow $1 xkb_var_lib_t:file r_file_perms;
- allow $1 xkb_var_lib_t:lnk_file { getattr read };
+ read_files_pattern($1,xkb_var_lib_t,xkb_var_lib_t)
+ read_lnk_files_pattern($1,xkb_var_lib_t,xkb_var_lib_t)
')
########################################
@@ -1119,8 +1085,7 @@ interface(`xserver_read_xdm_tmp_files',`
type xdm_tmp_t;
')
- allow $1 xdm_tmp_t:dir search_dir_perms;
- allow $1 xdm_tmp_t:file { getattr read };
+ read_files_pattern($1,xdm_tmp_t,xdm_tmp_t)
')
########################################
@@ -1195,7 +1160,5 @@ interface(`xserver_stream_connect_xdm_xserver',`
')
files_search_tmp($1)
- allow $1 xdm_xserver_tmp_t:dir search_dir_perms;
- allow $1 xdm_xserver_tmp_t:sock_file write;
- allow $1 xdm_xserver_t:unix_stream_socket connectto;
+ stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index fd266ef3..f9a44dab 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -83,7 +83,7 @@ optional_policy(`
allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate };
-allow xdm_t self:fifo_file rw_file_perms;
+allow xdm_t self:fifo_file rw_fifo_file_perms;
allow xdm_t self:shm create_shm_perms;
allow xdm_t self:sem create_sem_perms;
allow xdm_t self:unix_stream_socket { connectto create_stream_socket_perms };
@@ -100,9 +100,9 @@ dontaudit xdm_t ice_tmp_t:dir { getattr setattr };
allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
-allow xdm_t xdm_tmp_t:dir manage_dir_perms;
-allow xdm_t xdm_tmp_t:file manage_file_perms;
-allow xdm_t xdm_tmp_t:sock_file manage_file_perms;
+manage_dirs_pattern(xdm_t,xdm_tmp_t,xdm_tmp_t)
+manage_files_pattern(xdm_t,xdm_tmp_t,xdm_tmp_t)
+manage_sock_files_pattern(xdm_t,xdm_tmp_t,xdm_tmp_t)
files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file })
# Allow gdm to run gdm-binary
@@ -110,8 +110,7 @@ can_exec(xdm_t, xdm_exec_t)
# wdm has its own config dir /etc/X11/wdm
# this is ugly, daemons should not create files under /etc!
-allow xdm_t xdm_rw_etc_t:dir rw_dir_perms;
-allow xdm_t xdm_rw_etc_t:file create_file_perms;
+manage_files_pattern(xdm_t,xdm_rw_etc_t,xdm_rw_etc_t)
kernel_read_system_state(xdm_t)
kernel_read_kernel_sysctls(xdm_t)
@@ -221,23 +220,23 @@ userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
ifdef(`strict_policy',`
- allow xdm_t xdm_lock_t:file create_file_perms;
+ allow xdm_t xdm_lock_t:file manage_file_perms;
files_lock_filetrans(xdm_t,xdm_lock_t,file)
- allow xdm_t xdm_tmpfs_t:dir manage_dir_perms;
- allow xdm_t xdm_tmpfs_t:file manage_file_perms;
- allow xdm_t xdm_tmpfs_t:lnk_file create_lnk_perms;
- allow xdm_t xdm_tmpfs_t:sock_file manage_file_perms;
- allow xdm_t xdm_tmpfs_t:fifo_file manage_file_perms;
+ manage_dirs_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
+ manage_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
+ manage_lnk_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
+ manage_fifo_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
+ manage_sock_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
fs_tmpfs_filetrans(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
- allow xdm_t xdm_var_lib_t:file create_file_perms;
- allow xdm_t xdm_var_lib_t:dir create_dir_perms;
+ manage_dirs_pattern(xdm_t,xdm_var_lib_t,xdm_var_lib_t)
+ manage_files_pattern(xdm_t,xdm_var_lib_t,xdm_var_lib_t)
files_var_lib_filetrans(xdm_t,xdm_var_lib_t,file)
- allow xdm_t xdm_var_run_t:dir manage_dir_perms;
- allow xdm_t xdm_var_run_t:file manage_file_perms;
- allow xdm_t xdm_var_run_t:fifo_file manage_file_perms;
+ manage_dirs_pattern(xdm_t,xdm_var_run_t,xdm_var_run_t)
+ manage_files_pattern(xdm_t,xdm_var_run_t,xdm_var_run_t)
+ manage_fifo_files_pattern(xdm_t,xdm_var_run_t,xdm_var_run_t)
files_pid_filetrans(xdm_t,xdm_var_run_t,{ dir file fifo_file })
allow xdm_t xdm_xserver_t:process signal;
@@ -247,28 +246,22 @@ ifdef(`strict_policy',`
allow xdm_t xdm_xserver_tmp_t:dir { setattr r_dir_perms };
# transition to the xdm xserver
- domain_auto_trans(xdm_t, xserver_exec_t, xdm_xserver_t)
- allow xdm_t xdm_xserver_t:fd use;
- allow xdm_xserver_t xdm_t:fd use;
- allow xdm_xserver_t xdm_t:fifo_file rw_file_perms;
- allow xdm_xserver_t xdm_t:process { signal sigchld };
+ domtrans_pattern(xdm_t, xserver_exec_t, xdm_xserver_t)
+ allow xdm_xserver_t xdm_t:process signal;
allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
allow xdm_t xdm_xserver_t:shm rw_shm_perms;
# connect to xdm xserver over stream socket
- allow xdm_t xdm_xserver_tmp_t:dir r_dir_perms;
- allow xdm_t xdm_xserver_tmp_t:sock_file rw_file_perms;
- allow xdm_t xdm_xserver_t:unix_stream_socket connectto;
+ stream_connect_pattern(xdm_t,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
# Remove /tmp/.X11-unix/X0.
- allow xdm_t xdm_xserver_tmp_t:dir { remove_name write };
- allow xdm_t xdm_xserver_tmp_t:sock_file unlink;
- allow xdm_t xdm_xserver_tmp_t:file unlink;
+ delete_files_pattern(xdm_t,xdm_xserver_tmp_t,xdm_xserver_tmp_t)
+ delete_sock_files_pattern(xdm_t,xdm_xserver_tmp_t,xdm_xserver_tmp_t)
- allow xdm_t xserver_log_t:dir manage_dir_perms;
- allow xdm_t xserver_log_t:file manage_file_perms;
- allow xdm_t xserver_log_t:fifo_file manage_file_perms;
+ manage_dirs_pattern(xdm_t,xserver_log_t,xserver_log_t)
+ manage_files_pattern(xdm_t,xserver_log_t,xserver_log_t)
+ manage_fifo_files_pattern(xdm_t,xserver_log_t,xserver_log_t)
logging_log_filetrans(xdm_t,xserver_log_t,file)
auth_domtrans_pam_console(xdm_t)
@@ -387,10 +380,9 @@ dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
allow xdm_xserver_t xdm_var_run_t:file { getattr read };
# Label pid and temporary files with derived types.
-allow xdm_xserver_t xdm_tmp_t:dir rw_dir_perms;
-allow xdm_xserver_t xdm_tmp_t:file manage_file_perms;
-allow xdm_xserver_t xdm_tmp_t:lnk_file create_lnk_perms;
-allow xdm_xserver_t xdm_tmp_t:sock_file manage_file_perms;
+manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t)
+manage_lnk_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t)
+manage_sock_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t)
# Run xkbcomp.
allow xdm_xserver_t xkb_var_lib_t:lnk_file read;
@@ -459,7 +451,7 @@ dontaudit xdm_t usr_t:file write;
ifdef(`rhgb.te', `
allow xdm_xserver_t ramfs_t:dir rw_dir_perms;
-allow xdm_xserver_t ramfs_t:file create_file_perms;
+allow xdm_xserver_t ramfs_t:file manage_file_perms;
allow rhgb_t xdm_xserver_t:process signal;
')
diff --git a/policy/modules/services/zebra.if b/policy/modules/services/zebra.if
index 8f23864a..398ad938 100644
--- a/policy/modules/services/zebra.if
+++ b/policy/modules/services/zebra.if
@@ -17,7 +17,7 @@ interface(`zebra_read_config',`
')
files_search_etc($1)
- allow $1 zebra_conf_t:file r_file_perms;
- allow $1 zebra_conf_t:dir r_dir_perms;
- allow $1 zebra_conf_t:lnk_file r_file_perms;
+ allow $1 zebra_conf_t:dir list_dir_perms;
+ read_files_pattern($1,zebra_conf_t,zebra_conf_t)
+ read_lnk_files_pattern($1,zebra_conf_t,zebra_conf_t)
')
diff --git a/policy/modules/services/zebra.te b/policy/modules/services/zebra.te
index e835d708..0c7f5184 100644
--- a/policy/modules/services/zebra.te
+++ b/policy/modules/services/zebra.te
@@ -38,22 +38,21 @@ allow zebra_t self:tcp_socket { connect connected_stream_socket_perms };
allow zebra_t self:udp_socket create_socket_perms;
allow zebra_t self:rawip_socket create_socket_perms;
-allow zebra_t zebra_conf_t:dir r_dir_perms;
-allow zebra_t zebra_conf_t:file r_file_perms;
-allow zebra_t zebra_conf_t:lnk_file { getattr read };
+allow zebra_t zebra_conf_t:dir list_dir_perms;
+read_files_pattern(zebra_t,zebra_conf_t,zebra_conf_t)
+read_lnk_files_pattern(zebra_t,zebra_conf_t,zebra_conf_t)
-allow zebra_t zebra_log_t:file create_file_perms;
-allow zebra_t zebra_log_t:sock_file create_file_perms;
-allow zebra_t zebra_log_t:dir { rw_dir_perms setattr };
+allow zebra_t zebra_log_t:dir setattr;
+manage_files_pattern(zebra_t,zebra_log_t,zebra_log_t)
+manage_sock_files_pattern(zebra_t,zebra_log_t,zebra_log_t)
logging_log_filetrans(zebra_t,zebra_log_t,{ sock_file file dir })
# /tmp/.bgpd is such a bad idea!
-allow zebra_t zebra_tmp_t:sock_file create_file_perms;
+allow zebra_t zebra_tmp_t:sock_file manage_sock_file_perms;
files_tmp_filetrans(zebra_t,zebra_tmp_t,sock_file)
-allow zebra_t zebra_var_run_t:file manage_file_perms;
-allow zebra_t zebra_var_run_t:sock_file manage_file_perms;
-allow zebra_t zebra_var_run_t:dir rw_dir_perms;
+manage_files_pattern(zebra_t,zebra_var_run_t,zebra_var_run_t)
+manage_sock_files_pattern(zebra_t,zebra_var_run_t,zebra_var_run_t)
files_pid_filetrans(zebra_t,zebra_var_run_t, { file sock_file })
kernel_read_system_state(zebra_t)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index c8e06f85..d39159ef 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -27,9 +27,10 @@ template(`authlogin_common_auth_domain_template',`
domain_type($1_chkpwd_t)
domain_entry_file($1_chkpwd_t,chkpwd_exec_t)
- allow $1_chkpwd_t self:capability { audit_write audit_control setuid };
+ allow $1_chkpwd_t self:capability { audit_control setuid };
allow $1_chkpwd_t self:process getattr;
- allow $1_chkpwd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+
+ send_audit_msgs_pattern($1_chkpwd_t)
files_list_etc($1_chkpwd_t)
allow $1_chkpwd_t shadow_t:file { getattr read };
@@ -113,10 +114,7 @@ template(`authlogin_per_role_template',`
dontaudit $2 shadow_t:file { getattr read };
# Transition from the user domain to this domain.
- domain_auto_trans($2,chkpwd_exec_t,$1_chkpwd_t)
- allow $1_chkpwd_t $2:fd use;
- allow $1_chkpwd_t $2:fifo_file rw_file_perms;
- allow $1_chkpwd_t $2:process sigchld;
+ domtrans_pattern($2,chkpwd_exec_t,$1_chkpwd_t)
domain_use_interactive_fds($1_chkpwd_t)
@@ -159,23 +157,15 @@ template(`auth_domtrans_user_chk_passwd',`
type system_chkpwd_t, chkpwd_exec_t;
')
- domain_auto_trans($2,chkpwd_exec_t,system_chkpwd_t)
- allow $2 system_chkpwd_t:fd use;
- allow system_chkpwd_t $2:fd use;
- allow system_chkpwd_t $2:fifo_file rw_file_perms;
- allow system_chkpwd_t $2:process sigchld;
+ corecmd_search_bin($2)
+ domtrans_pattern($2,chkpwd_exec_t,system_chkpwd_t)
',`
gen_require(`
type $1_chkpwd_t, chkpwd_exec_t;
')
corecmd_search_bin($2)
- domain_auto_trans($2,chkpwd_exec_t,$1_chkpwd_t)
-
- allow $2 $1_chkpwd_t:fd use;
- allow $1_chkpwd_t $2:fd use;
- allow $1_chkpwd_t $2:fifo_file rw_file_perms;
- allow $1_chkpwd_t $2:process sigchld;
+ domtrans_pattern($2,chkpwd_exec_t,$1_chkpwd_t)
')
')
@@ -274,10 +264,7 @@ interface(`auth_domtrans_login_program',`
')
corecmd_search_bin($1)
- domain_auto_trans($1,login_exec_t,$2)
- allow $2 $1:fd use;
- allow $2 $1:fifo_file rw_file_perms;
- allow $2 $1:process sigchld;
+ domtrans_pattern($1,login_exec_t,$2)
')
########################################
@@ -332,15 +319,12 @@ interface(`auth_domtrans_chk_passwd',`
type system_chkpwd_t, chkpwd_exec_t, shadow_t;
')
-
- allow $1 self:capability { audit_write audit_control };
- allow $1 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+ # cjp: is this really needed?
+ allow $1 self:capability audit_control;
+ send_audit_msgs_pattern($1)
corecmd_search_sbin($1)
- domain_auto_trans($1,chkpwd_exec_t,system_chkpwd_t)
- allow system_chkpwd_t $1:fd use;
- allow system_chkpwd_t $1:fifo_file rw_file_perms;
- allow system_chkpwd_t $1:process sigchld;
+ domtrans_pattern($1,chkpwd_exec_t,system_chkpwd_t)
dontaudit $1 shadow_t:file { getattr read };
@@ -473,7 +457,7 @@ interface(`auth_tunable_read_shadow',`
')
files_list_etc($1)
- allow $1 shadow_t:file r_file_perms;
+ allow $1 shadow_t:file read_file_perms;
')
########################################
@@ -615,7 +599,7 @@ interface(`auth_append_faillog',`
')
logging_search_logs($1)
- allow $1 faillog_t:file { getattr append };
+ allow $1 faillog_t:file append_file_perms;
')
########################################
@@ -654,7 +638,7 @@ interface(`auth_read_lastlog',`
')
logging_search_logs($1)
- allow $1 lastlog_t:file { getattr read };
+ allow $1 lastlog_t:file read_file_perms;
')
#######################################
@@ -673,7 +657,7 @@ interface(`auth_append_lastlog',`
')
logging_search_logs($1)
- allow $1 lastlog_t:file { getattr lock append };
+ allow $1 lastlog_t:file { append_file_perms lock };
')
#######################################
@@ -692,7 +676,7 @@ interface(`auth_rw_lastlog',`
')
logging_search_logs($1)
- allow $1 lastlog_t:file { getattr read write lock setattr };
+ allow $1 lastlog_t:file { rw_file_perms lock setattr };
')
########################################
@@ -710,10 +694,7 @@ interface(`auth_domtrans_pam',`
type pam_t, pam_exec_t;
')
- domain_auto_trans($1,pam_exec_t,pam_t)
- allow pam_t $1:fd use;
- allow pam_t $1:fifo_file rw_file_perms;
- allow pam_t $1:process sigchld;
+ domtrans_pattern($1,pam_exec_t,pam_t)
')
########################################
@@ -803,7 +784,7 @@ interface(`auth_read_pam_pid',`
files_search_pids($1)
allow $1 pam_var_run_t:dir list_dir_perms;
- allow $1 pam_var_run_t:file r_file_perms;
+ allow $1 pam_var_run_t:file read_file_perms;
')
#######################################
@@ -840,8 +821,8 @@ interface(`auth_delete_pam_pid',`
')
files_search_pids($1)
- allow $1 pam_var_run_t:dir { getattr search read write remove_name };
- allow $1 pam_var_run_t:file { getattr unlink };
+ allow $1 pam_var_run_t:dir del_entry_dir_perms;
+ allow $1 pam_var_run_t:file delete_file_perms;
')
########################################
@@ -879,10 +860,7 @@ interface(`auth_domtrans_pam_console',`
type pam_console_t, pam_console_exec_t;
')
- domain_auto_trans($1,pam_console_exec_t,pam_console_t)
- allow pam_console_t $1:fd use;
- allow pam_console_t $1:fifo_file rw_file_perms;
- allow pam_console_t $1:process sigchld;
+ domtrans_pattern($1,pam_console_exec_t,pam_console_t)
')
########################################
@@ -942,7 +920,7 @@ interface(`auth_read_pam_console_data',`
files_search_pids($1)
allow $1 pam_var_console_t:dir list_dir_perms;
- allow $1 pam_var_console_t:file r_file_perms;
+ allow $1 pam_var_console_t:file read_file_perms;
')
########################################
@@ -962,9 +940,8 @@ interface(`auth_manage_pam_console_data',`
')
files_search_pids($1)
- allow $1 pam_var_console_t:dir rw_dir_perms;
- allow $1 pam_var_console_t:file manage_file_perms;
- allow $1 pam_var_console_t:lnk_file create_lnk_perms;
+ manage_files_pattern($1,pam_var_console_t,pam_var_console_t)
+ manage_lnk_files_pattern($1,pam_var_console_t,pam_var_console_t)
')
#######################################
@@ -984,8 +961,7 @@ interface(`auth_delete_pam_console_data',`
files_search_var($1)
files_search_pids($1)
- allow $1 pam_var_console_t:dir rw_dir_perms;
- allow $1 pam_var_console_t:file unlink;
+ delete_files_pattern($1,pam_var_console_t,pam_var_console_t)
')
########################################
@@ -1131,10 +1107,7 @@ interface(`auth_domtrans_utempter',`
type utempter_t, utempter_exec_t;
')
- domain_auto_trans($1,utempter_exec_t,utempter_t)
- allow utempter_t $1:fd use;
- allow utempter_t $1:fifo_file rw_file_perms;
- allow utempter_t $1:process sigchld;
+ domtrans_pattern($1,utempter_exec_t,utempter_t)
')
########################################
@@ -1221,7 +1194,7 @@ interface(`auth_read_login_records',`
')
logging_search_logs($1)
- allow $1 wtmp_t:file r_file_perms;
+ allow $1 wtmp_t:file read_file_perms;
')
########################################
@@ -1258,7 +1231,8 @@ interface(`auth_append_login_records',`
type wtmp_t;
')
- allow $1 wtmp_t:file { getattr append lock };
+ allow $1 wtmp_t:file append_file_perms;
+ logging_search_logs($1)
')
#######################################
@@ -1276,7 +1250,7 @@ interface(`auth_write_login_records',`
type wtmp_t;
')
- allow $1 wtmp_t:file { write lock };
+ allow $1 wtmp_t:file { write_file_perms lock };
')
########################################
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index e8436f49..05d3e3c5 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -88,8 +88,8 @@ allow pam_t self:sem create_sem_perms;
allow pam_t self:msgq create_msgq_perms;
allow pam_t self:msg { send receive };
-allow pam_t pam_var_run_t:dir { search getattr read write remove_name };
-allow pam_t pam_var_run_t:file { getattr read unlink };
+delete_files_pattern(pam_t,pam_var_run_t,pam_var_run_t)
+read_files_pattern(pam_t,pam_var_run_t,pam_var_run_t)
files_list_pids(pam_t)
allow pam_t pam_tmp_t:dir manage_dir_perms;
@@ -137,9 +137,8 @@ dontaudit pam_console_t self:capability sys_tty_config;
allow pam_console_t self:process { sigchld sigkill sigstop signull signal };
# for /var/run/console.lock checking
-allow pam_console_t pam_var_console_t:dir list_dir_perms;
-allow pam_console_t pam_var_console_t:lnk_file { getattr read };
-allow pam_console_t pam_var_console_t:file r_file_perms;
+read_files_pattern(pam_console_t,pam_var_console_t,pam_var_console_t)
+read_lnk_files_pattern(pam_console_t,pam_var_console_t,pam_var_console_t)
dontaudit pam_console_t pam_var_console_t:file write;
kernel_read_kernel_sysctls(pam_console_t)
@@ -252,8 +251,6 @@ optional_policy(`
# System check password local policy
#
-allow system_chkpwd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
-
allow system_chkpwd_t shadow_t:file { getattr read };
corecmd_search_sbin(system_chkpwd_t)
diff --git a/policy/modules/system/clock.if b/policy/modules/system/clock.if
index 1a2437db..2665facf 100644
--- a/policy/modules/system/clock.if
+++ b/policy/modules/system/clock.if
@@ -15,12 +15,7 @@ interface(`clock_domtrans',`
type hwclock_t, hwclock_exec_t;
')
- domain_auto_trans($1,hwclock_exec_t,hwclock_t)
-
- allow $1 hwclock_t:fd use;
- allow hwclock_t $1:fd use;
- allow hwclock_t $1:fifo_file rw_file_perms;
- allow hwclock_t $1:process sigchld;
+ domtrans_pattern($1,hwclock_exec_t,hwclock_t)
')
########################################
diff --git a/policy/modules/system/clock.te b/policy/modules/system/clock.te
index 84c947c8..5a69e980 100644
--- a/policy/modules/system/clock.te
+++ b/policy/modules/system/clock.te
@@ -21,12 +21,13 @@ role system_r types hwclock_t;
# Give hwclock the capabilities it requires. dac_override is a surprise,
# but hwclock does require it.
-allow hwclock_t self:capability { dac_override sys_rawio sys_time sys_tty_config audit_write };
+allow hwclock_t self:capability { dac_override sys_rawio sys_time sys_tty_config };
dontaudit hwclock_t self:capability sys_tty_config;
allow hwclock_t self:process signal_perms;
-allow hwclock_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
allow hwclock_t self:fifo_file { getattr read write };
+send_audit_msgs_pattern(hwclock_t)
+
# Allow hwclock to store & retrieve correction factors.
allow hwclock_t adjtime_t:file { rw_file_perms setattr };
diff --git a/policy/modules/system/daemontools.if b/policy/modules/system/daemontools.if
index d3227c29..17b5f8f0 100644
--- a/policy/modules/system/daemontools.if
+++ b/policy/modules/system/daemontools.if
@@ -68,12 +68,7 @@ interface(`daemontools_domtrans_start',`
type svc_start_t, svc_start_exec_t;
')
- domain_auto_trans($1, svc_start_exec_t, svc_start_t)
-
- allow $1 svc_start_t:fd use;
- allow svc_start_t $1:fd use;
- allow svc_start_t $1:fifo_file rw_file_perms;
- allow svc_start_t $1:process sigchld;
+ domtrans_pattern($1, svc_start_exec_t, svc_start_t)
')
########################################
@@ -91,12 +86,7 @@ interface(`daemontools_domtrans_run',`
type svc_run_t, svc_run_exec_t;
')
- domain_auto_trans($1, svc_run_exec_t, svc_run_t)
-
- allow $1 svc_run_t:fd use;
- allow svc_run_t $1:fd use;
- allow svc_run_t $1:fifo_file rw_file_perms;
- allow svc_run_t $1:process sigchld;
+ domtrans_pattern($1, svc_run_exec_t, svc_run_t)
')
########################################
@@ -114,12 +104,7 @@ interface(`daemontools_domtrans_multilog',`
type svc_multilog_t, svc_multilog_exec_t;
')
- domain_auto_trans($1, svc_multilog_exec_t, svc_multilog_t)
-
- allow $1 svc_multilog_t:fd use;
- allow svc_multilog_t $1:fd use;
- allow svc_multilog_t $1:fifo_file rw_file_perms;
- allow svc_multilog_t $1:process sigchld;
+ domtrans_pattern($1, svc_multilog_exec_t, svc_multilog_t)
')
########################################
@@ -138,8 +123,8 @@ interface(`daemontools_read_svc',`
type svc_svc_t;
')
- allow $1 svc_svc_t:dir r_dir_perms;
- allow $1 svc_svc_t:file r_file_perms;
+ allow $1 svc_svc_t:dir list_dir_perms;
+ allow $1 svc_svc_t:file read_file_perms;
')
########################################
@@ -158,8 +143,8 @@ interface(`daemontools_manage_svc',`
type svc_svc_t;
')
- allow $1 svc_svc_t:dir create_dir_perms;
- allow $1 svc_svc_t:fifo_file create_file_perms;
- allow $1 svc_svc_t:file create_file_perms;
+ allow $1 svc_svc_t:dir manage_dir_perms;
+ allow $1 svc_svc_t:fifo_file manage_fifo_file_perms;
+ allow $1 svc_svc_t:file manage_file_perms;
allow $1 svc_svc_t:lnk_file { read create };
')
diff --git a/policy/modules/system/daemontools.te b/policy/modules/system/daemontools.te
index 271bb127..5c411235 100644
--- a/policy/modules/system/daemontools.te
+++ b/policy/modules/system/daemontools.te
@@ -39,8 +39,7 @@ files_type(svc_svc_t)
#
# multilog creates /service/*/log/status
-allow svc_multilog_t svc_svc_t:dir rw_dir_perms;
-allow svc_multilog_t svc_svc_t:file create_file_perms;
+manage_files_pattern(svc_multilog_t,svc_svc_t,svc_svc_t)
init_use_fds(svc_multilog_t)
@@ -61,11 +60,11 @@ daemontools_ipc_domain(svc_multilog_t)
allow svc_run_t self:capability { setgid setuid chown fsetid };
allow svc_run_t self:process setrlimit;
-allow svc_run_t self:fifo_file rw_file_perms;
+allow svc_run_t self:fifo_file rw_fifo_file_perms;
allow svc_run_t self:unix_stream_socket create_stream_socket_perms;
-allow svc_run_t svc_conf_t:dir r_dir_perms;
-allow svc_run_t svc_conf_t:file r_file_perms;
+allow svc_run_t svc_conf_t:dir list_dir_perms;
+allow svc_run_t svc_conf_t:file read_file_perms;
can_exec(svc_run_t svc_run_exec_t)
@@ -102,7 +101,7 @@ optional_policy(`
allow svc_start_t svc_run_t:process signal;
-allow svc_start_t self:fifo_file rw_file_perms;
+allow svc_start_t self:fifo_file rw_fifo_file_perms;
allow svc_start_t self:capability kill;
allow svc_start_t self:unix_stream_socket create_socket_perms;
diff --git a/policy/modules/system/fstools.if b/policy/modules/system/fstools.if
index 781d9490..01a5a77d 100644
--- a/policy/modules/system/fstools.if
+++ b/policy/modules/system/fstools.if
@@ -16,12 +16,7 @@ interface(`fstools_domtrans',`
')
corecmd_search_sbin($1)
- domain_auto_trans($1,fsadm_exec_t,fsadm_t)
-
- allow $1 fsadm_t:fd use;
- allow fsadm_t $1:fd use;
- allow fsadm_t $1:fifo_file rw_file_perms;
- allow fsadm_t $1:process sigchld;
+ domtrans_pattern($1,fsadm_exec_t,fsadm_t)
')
########################################
@@ -109,7 +104,7 @@ interface(`fstools_manage_entry_files',`
type fsadm_exec_t;
')
- allow $1 fsadm_exec_t:file create_file_perms;
+ allow $1 fsadm_exec_t:file manage_file_perms;
')
########################################
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index b637c6a0..e3ed20bc 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -43,13 +43,13 @@ allow fsadm_t self:msg { send receive };
can_exec(fsadm_t, fsadm_exec_t)
-allow fsadm_t fsadm_tmp_t:dir create_dir_perms;
-allow fsadm_t fsadm_tmp_t:file create_file_perms;
+allow fsadm_t fsadm_tmp_t:dir manage_dir_perms;
+allow fsadm_t fsadm_tmp_t:file manage_file_perms;
files_tmp_filetrans(fsadm_t, fsadm_tmp_t, { file dir })
# log files
-allow fsadm_t fsadm_log_t:file manage_file_perms;
-allow fsadm_t fsadm_log_t:dir { rw_dir_perms setattr };
+allow fsadm_t fsadm_log_t:dir setattr;
+manage_files_pattern(fsadm_t,fsadm_log_t,fsadm_log_t)
logging_log_filetrans(fsadm_t,fsadm_log_t,file)
# Enable swapping to files
diff --git a/policy/modules/system/getty.if b/policy/modules/system/getty.if
index f60389d3..a49363d1 100644
--- a/policy/modules/system/getty.if
+++ b/policy/modules/system/getty.if
@@ -16,12 +16,7 @@ interface(`getty_domtrans',`
')
corecmd_search_sbin($1)
- domain_auto_trans($1,getty_exec_t,getty_t)
-
- allow $1 getty_t:fd use;
- allow getty_t $1:fd use;
- allow getty_t $1:fifo_file rw_file_perms;
- allow getty_t $1:process sigchld;
+ domtrans_pattern($1,getty_exec_t,getty_t)
')
########################################
diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
index 9d92dba5..96f011a3 100644
--- a/policy/modules/system/getty.te
+++ b/policy/modules/system/getty.te
@@ -37,23 +37,21 @@ allow getty_t self:capability { dac_override chown setgid sys_resource sys_tty_c
dontaudit getty_t self:capability sys_tty_config;
allow getty_t self:process { getpgid getsession signal_perms };
-allow getty_t getty_etc_t:dir r_dir_perms;
-allow getty_t getty_etc_t:file r_file_perms;
-allow getty_t getty_etc_t:lnk_file { getattr read };
+read_files_pattern(getty_t,getty_etc_t,getty_etc_t)
+read_lnk_files_pattern(getty_t,getty_etc_t,getty_etc_t)
files_etc_filetrans(getty_t,getty_etc_t,{ file dir })
-allow getty_t getty_lock_t:file create_file_perms;
+allow getty_t getty_lock_t:file manage_file_perms;
files_lock_filetrans(getty_t,getty_lock_t,file)
-allow getty_t getty_log_t:file create_file_perms;
+allow getty_t getty_log_t:file manage_file_perms;
logging_log_filetrans(getty_t,getty_log_t,file)
-allow getty_t getty_tmp_t:file create_file_perms;
-allow getty_t getty_tmp_t:dir create_dir_perms;
+allow getty_t getty_tmp_t:file manage_file_perms;
+allow getty_t getty_tmp_t:dir manage_dir_perms;
files_tmp_filetrans(getty_t,getty_tmp_t,{ file dir })
-allow getty_t getty_var_run_t:file create_file_perms;
-allow getty_t getty_var_run_t:dir rw_dir_perms;
+manage_files_pattern(getty_t,getty_var_run_t,getty_var_run_t)
files_pid_filetrans(getty_t,getty_var_run_t,file)
kernel_list_proc(getty_t)
diff --git a/policy/modules/system/hostname.if b/policy/modules/system/hostname.if
index 707499c5..f325978f 100644
--- a/policy/modules/system/hostname.if
+++ b/policy/modules/system/hostname.if
@@ -16,12 +16,7 @@ interface(`hostname_domtrans',`
')
corecmd_search_bin($1)
- domain_auto_trans($1,hostname_exec_t,hostname_t)
-
- allow $1 hostname_t:fd use;
- allow hostname_t $1:fd use;
- allow hostname_t $1:fifo_file rw_file_perms;
- allow hostname_t $1:process sigchld;
+ domtrans_pattern($1,hostname_exec_t,hostname_t)
')
########################################
diff --git a/policy/modules/system/hotplug.if b/policy/modules/system/hotplug.if
index 9c8ea784..9d1b4a09 100644
--- a/policy/modules/system/hotplug.if
+++ b/policy/modules/system/hotplug.if
@@ -19,12 +19,7 @@ interface(`hotplug_domtrans',`
')
corecmd_search_sbin($1)
- domain_auto_trans($1,hotplug_exec_t,hotplug_t)
-
- allow $1 hotplug_t:fd use;
- allow hotplug_t $1:fd use;
- allow hotplug_t $1:fifo_file rw_file_perms;
- allow hotplug_t $1:process sigchld;
+ domtrans_pattern($1,hotplug_exec_t,hotplug_t)
')
########################################
@@ -135,7 +130,7 @@ interface(`hotplug_search_config',`
type hotplug_etc_t;
')
- allow $1 hotplug_etc_t:dir { getattr search };
+ allow $1 hotplug_etc_t:dir search_dir_perms;
')
########################################
@@ -155,9 +150,9 @@ interface(`hotplug_read_config',`
')
files_search_etc($1)
- allow $1 hotplug_etc_t:file r_file_perms;
- allow $1 hotplug_etc_t:dir r_dir_perms;
- allow $1 hotplug_etc_t:lnk_file r_file_perms;
+ allow $1 hotplug_etc_t:dir list_dir_perms;
+ read_files_pattern($1,hotplug_etc_t,hotplug_etc_t)
+ read_lnk_files_pattern($1,hotplug_etc_t,hotplug_etc_t)
')
########################################
diff --git a/policy/modules/system/hotplug.te b/policy/modules/system/hotplug.te
index 8207e2fd..4c258f6b 100644
--- a/policy/modules/system/hotplug.te
+++ b/policy/modules/system/hotplug.te
@@ -33,15 +33,14 @@ allow hotplug_t self:netlink_route_socket r_netlink_socket_perms;
allow hotplug_t self:udp_socket create_socket_perms;
allow hotplug_t self:tcp_socket connected_stream_socket_perms;
-allow hotplug_t hotplug_etc_t:file r_file_perms;
-allow hotplug_t hotplug_etc_t:dir r_dir_perms;
-allow hotplug_t hotplug_etc_t:lnk_file r_file_perms;
+read_files_pattern(hotplug_t,hotplug_etc_t,hotplug_etc_t)
+read_lnk_files_pattern(hotplug_t,hotplug_etc_t,hotplug_etc_t)
can_exec(hotplug_t,hotplug_etc_t)
+allow hotplug_t hotplug_etc_t:dir list_dir_perms;
can_exec(hotplug_t,hotplug_exec_t)
-allow hotplug_t hotplug_var_run_t:file manage_file_perms;
-allow hotplug_t hotplug_var_run_t:dir rw_dir_perms;
+manage_files_pattern(hotplug_t,hotplug_var_run_t,hotplug_var_run_t)
files_pid_filetrans(hotplug_t,hotplug_var_run_t,file)
kernel_sigchld(hotplug_t)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index c6d853ff..e6daaf38 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -26,12 +26,7 @@ interface(`init_domain',`
role system_r types $1;
- domain_auto_trans(init_t,$2,$1)
-
- allow $1 init_t:fd use;
- allow init_t $1:fd use;
- allow $1 init_t:fifo_file rw_file_perms;
- allow $1 init_t:process sigchld;
+ domtrans_pattern(init_t,$2,$1)
ifdef(`hide_broken_symptoms',`
# RHEL4 systems seem to have a stray
@@ -111,13 +106,8 @@ interface(`init_daemon_domain',`
role system_r types $1;
ifdef(`direct_sysadm_daemon',`
- domain_auto_trans(direct_run_init,$2,$1)
-
- allow direct_run_init $1:fd use;
+ domtrans_pattern(direct_run_init,$2,$1)
allow direct_run_init $1:process { noatsecure siginh rlimitinh };
- allow $1 direct_run_init:fd use;
- allow $1 direct_run_init:fifo_file rw_file_perms;
- allow $1 direct_run_init:process sigchld;
typeattribute $1 direct_init;
typeattribute $2 direct_init_entry;
@@ -143,20 +133,11 @@ interface(`init_daemon_domain',`
can_exec(initrc_t,$2)
can_exec(direct_run_init,$2)
} else {
- domain_auto_trans(initrc_t,$2,$1)
- allow initrc_t $1:fd use;
- allow $1 initrc_t:fd use;
- allow $1 initrc_t:fifo_file rw_file_perms;
- allow $1 initrc_t:process sigchld;
+ domtrans_pattern(initrc_t,$2,$1)
allow initrc_t $1:process { noatsecure siginh rlimitinh };
}
',`
- domain_auto_trans(initrc_t,$2,$1)
- allow initrc_t $1:fd use;
- allow $1 initrc_t:fd use;
- allow $1 initrc_t:fifo_file rw_file_perms;
- allow $1 initrc_t:process sigchld;
- dontaudit initrc_t $1:process { noatsecure siginh rlimitinh };
+ domtrans_pattern(initrc_t,$2,$1)
')
optional_policy(`
@@ -228,12 +209,7 @@ interface(`init_system_domain',`
role system_r types $1;
- domain_auto_trans(initrc_t,$2,$1)
-
- allow initrc_t $1:fd use;
- allow $1 initrc_t:fd use;
- allow $1 initrc_t:fifo_file rw_file_perms;
- allow $1 initrc_t:process sigchld;
+ domtrans_pattern(initrc_t,$2,$1)
ifdef(`hide_broken_symptoms',`
# RHEL4 systems seem to have a stray
@@ -296,12 +272,7 @@ interface(`init_domtrans',`
type init_t, init_exec_t;
')
- domain_auto_trans($1,init_exec_t,init_t)
-
- allow $1 init_t:fd use;
- allow init_t $1:fd use;
- allow init_t $1:fifo_file rw_file_perms;
- allow init_t $1:process sigchld;
+ domtrans_pattern($1,init_exec_t,init_t)
')
########################################
@@ -517,7 +488,7 @@ interface(`init_telinit',`
')
dev_list_all_dev_nodes($1)
- allow $1 initctl_t:fifo_file rw_file_perms;
+ allow $1 initctl_t:fifo_file rw_fifo_file_perms;
')
########################################
@@ -536,7 +507,7 @@ interface(`init_rw_initctl',`
')
dev_list_all_dev_nodes($1)
- allow $1 initctl_t:fifo_file rw_file_perms;
+ allow $1 initctl_t:fifo_file rw_fifo_file_perms;
')
########################################
@@ -593,11 +564,7 @@ interface(`init_spec_domtrans_script',`
')
files_list_etc($1)
- domain_trans($1,initrc_exec_t,initrc_t)
- allow $1 self:process setexec;
- allow initrc_t $1:fd use;
- allow initrc_t $1:fifo_file rw_file_perms;
- allow initrc_t $1:process sigchld;
+ spec_domtrans_pattern($1,initrc_exec_t,initrc_t)
ifdef(`enable_mcs',`
range_transition $1 initrc_exec_t:process s0;
@@ -624,10 +591,7 @@ interface(`init_domtrans_script',`
')
files_list_etc($1)
- domain_auto_trans($1,initrc_exec_t,initrc_t)
- allow initrc_t $1:fd use;
- allow initrc_t $1:fifo_file rw_file_perms;
- allow initrc_t $1:process sigchld;
+ domtrans_pattern($1,initrc_exec_t,initrc_t)
ifdef(`enable_mcs',`
range_transition $1 initrc_exec_t:process s0;
@@ -781,9 +745,12 @@ interface(`init_read_script_state',`
type initrc_t;
')
- #FIXME: search proc dir
- allow $1 initrc_t:dir r_dir_perms;
- allow $1 initrc_t:{ file lnk_file } r_file_perms;
+ kernel_search_proc($1)
+ read_files_pattern($1,initrc_t,initrc_t)
+ read_lnk_files_pattern($1,initrc_t,initrc_t)
+ list_dirs_pattern($1,initrc_t,initrc_t)
+
+ # should move this to separate interface
allow $1 initrc_t:process getattr;
')
@@ -1069,7 +1036,7 @@ interface(`init_read_script_files',`
')
files_search_etc($1)
- allow $1 initrc_exec_t:file r_file_perms;
+ allow $1 initrc_exec_t:file read_file_perms;
')
########################################
@@ -1088,8 +1055,7 @@ interface(`init_getattr_script_status_files',`
type initrc_state_t;
')
- allow $1 initrc_state_t:dir search_dir_perms;
- allow $1 initrc_state_t:file getattr;
+ getattr_files_pattern($1,initrc_state_t,initrc_state_t)
')
########################################
@@ -1158,9 +1124,7 @@ interface(`init_script_tmp_filetrans',`
')
files_search_tmp($1)
-
- allow $1 initrc_tmp_t:dir rw_dir_perms;
- type_transition $1 initrc_tmp_t:$3 $2;
+ filetrans_pattern($1,initrc_tmp_t,$2,$3)
')
########################################
@@ -1197,7 +1161,7 @@ interface(`init_read_utmp',`
')
files_list_pids($1)
- allow $1 initrc_var_run_t:file r_file_perms;
+ allow $1 initrc_var_run_t:file read_file_perms;
')
########################################
@@ -1309,5 +1273,5 @@ interface(`init_manage_utmp',`
')
files_search_pids($1)
- allow $1 initrc_var_run_t:file create_file_perms;
+ allow $1 initrc_var_run_t:file manage_file_perms;
')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 27ca078d..d342a54c 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -81,20 +81,20 @@ allow init_t self:capability ~sys_module;
# setuid (from /sbin/shutdown)
# sys_chroot (from /usr/bin/chroot): now provided by corecmd_chroot_exec_chroot()
-allow init_t self:fifo_file rw_file_perms;
+allow init_t self:fifo_file rw_fifo_file_perms;
# Re-exec itself
-allow init_t init_exec_t:file { getattr read ioctl execute execute_no_trans };
+can_exec(init_t,init_exec_t)
allow init_t initrc_t:unix_stream_socket connectto;
# For /var/run/shutdown.pid.
-allow init_t init_var_run_t:file { create getattr read append write setattr unlink };
+allow init_t init_var_run_t:file manage_file_perms;
files_pid_filetrans(init_t,init_var_run_t,file)
-allow init_t initctl_t:fifo_file { create getattr read append write setattr unlink };
-fs_associate_tmpfs(initctl_t)
+allow init_t initctl_t:fifo_file manage_fifo_file_perms;
dev_filetrans(init_t,initctl_t,fifo_file)
+fs_associate_tmpfs(initctl_t)
# Modify utmp.
allow init_t initrc_var_run_t:file { rw_file_perms setattr };
@@ -210,17 +210,17 @@ init_exec(initrc_t)
can_exec(initrc_t,initrc_exec_t)
-allow initrc_t initrc_state_t:dir manage_dir_perms;
-allow initrc_t initrc_state_t:file manage_file_perms;
-allow initrc_t initrc_state_t:fifo_file manage_file_perms;
-allow initrc_t initrc_state_t:lnk_file create_lnk_perms;
+manage_dirs_pattern(initrc_t,initrc_state_t,initrc_state_t)
+manage_files_pattern(initrc_t,initrc_state_t,initrc_state_t)
+manage_lnk_files_pattern(initrc_t,initrc_state_t,initrc_state_t)
+manage_fifo_files_pattern(initrc_t,initrc_state_t,initrc_state_t)
-allow initrc_t initrc_var_run_t:file create_file_perms;
+allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t,initrc_var_run_t,file)
can_exec(initrc_t,initrc_tmp_t)
-allow initrc_t initrc_tmp_t:file create_file_perms;
-allow initrc_t initrc_tmp_t:dir create_dir_perms;
+allow initrc_t initrc_tmp_t:file manage_file_perms;
+allow initrc_t initrc_tmp_t:dir manage_dir_perms;
files_tmp_filetrans(initrc_t,initrc_tmp_t, { file dir })
init_write_initctl(initrc_t)
diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if
index b4a643fd..5a7d7bc3 100644
--- a/policy/modules/system/ipsec.if
+++ b/policy/modules/system/ipsec.if
@@ -15,12 +15,7 @@ interface(`ipsec_domtrans',`
type ipsec_t, ipsec_exec_t;
')
- domain_auto_trans($1,ipsec_exec_t,ipsec_t)
-
- allow $1 ipsec_t:fd use;
- allow ipsec_t $1:fd use;
- allow ipsec_t $1:fifo_file rw_file_perms;
- allow ipsec_t $1:process sigchld;
+ domtrans_pattern($1,ipsec_exec_t,ipsec_t)
')
########################################
@@ -39,9 +34,7 @@ interface(`ipsec_stream_connect',`
')
files_search_pids($1)
- allow $1 ipsec_var_run_t:dir search;
- allow $1 ipsec_var_run_t:sock_file write;
- allow $1 ipsec_t:unix_stream_socket connectto;
+ stream_connect_pattern($1,ipsec_var_run_t,ipsec_var_run_t,ipsec_t)
')
########################################
@@ -97,7 +90,7 @@ interface(`ipsec_read_config',`
')
files_search_etc($1)
- allow $1 ipsec_conf_file_t:file r_file_perms;
+ allow $1 ipsec_conf_file_t:file read_file_perms;
')
########################################
@@ -116,6 +109,5 @@ interface(`ipsec_manage_pid',`
')
files_search_pids($1)
- allow $1 ipsec_var_run_t:dir rw_dir_perms;
- allow $1 ipsec_var_run_t:file create_file_perms;
+ manage_files_pattern($1,ipsec_var_run_t,ipsec_var_run_t)
')
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index 37b07644..eef09894 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -48,16 +48,16 @@ allow ipsec_t self:tcp_socket create_stream_socket_perms;
allow ipsec_t self:key_socket { create write read setopt };
allow ipsec_t self:fifo_file { read getattr };
-allow ipsec_t ipsec_conf_file_t:dir r_dir_perms;
-allow ipsec_t ipsec_conf_file_t:file r_file_perms;
-allow ipsec_t ipsec_conf_file_t:lnk_file r_file_perms;
+allow ipsec_t ipsec_conf_file_t:dir list_dir_perms;
+read_files_pattern(ipsec_t,ipsec_conf_file_t,ipsec_conf_file_t)
+read_lnk_files_pattern(ipsec_t,ipsec_conf_file_t,ipsec_conf_file_t)
-allow ipsec_t ipsec_key_file_t:dir r_dir_perms;
-allow ipsec_t ipsec_key_file_t:file r_file_perms;
-allow ipsec_t ipsec_key_file_t:lnk_file r_file_perms;
+allow ipsec_t ipsec_key_file_t:dir list_dir_perms;
+read_files_pattern(ipsec_t,ipsec_key_file_t,ipsec_key_file_t)
+read_lnk_files_pattern(ipsec_t,ipsec_key_file_t,ipsec_key_file_t)
-allow ipsec_t ipsec_var_run_t:file create_file_perms;
-allow ipsec_t ipsec_var_run_t:sock_file create_file_perms;
+allow ipsec_t ipsec_var_run_t:file manage_file_perms;
+allow ipsec_t ipsec_var_run_t:sock_file manage_sock_file_perms;
files_pid_filetrans(ipsec_t,ipsec_var_run_t,{ file sock_file })
can_exec(ipsec_t, ipsec_mgmt_exec_t)
@@ -67,7 +67,6 @@ can_exec(ipsec_t, ipsec_mgmt_exec_t)
# letting all sorts of stuff possibly be run...
# so try flipping back into the ipsec_mgmt_t domain
corecmd_shell_domtrans(ipsec_t,ipsec_mgmt_t)
-allow ipsec_t ipsec_mgmt_t:fd use;
allow ipsec_mgmt_t ipsec_t:fd use;
allow ipsec_mgmt_t ipsec_t:fifo_file rw_file_perms;
allow ipsec_mgmt_t ipsec_t:process sigchld;
@@ -158,22 +157,22 @@ allow ipsec_mgmt_t self:udp_socket create_socket_perms;
allow ipsec_mgmt_t self:key_socket { create setopt };
allow ipsec_mgmt_t self:fifo_file rw_file_perms;
-allow ipsec_mgmt_t ipsec_mgmt_lock_t:file create_file_perms;
+allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
files_lock_filetrans(ipsec_mgmt_t,ipsec_mgmt_lock_t,file)
-allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file create_file_perms;
+allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
files_pid_filetrans(ipsec_mgmt_t,ipsec_mgmt_var_run_t,file)
-allow ipsec_mgmt_t ipsec_var_run_t:dir rw_dir_perms;
-allow ipsec_mgmt_t ipsec_var_run_t:file create_file_perms;
-allow ipsec_mgmt_t ipsec_var_run_t:lnk_file create_lnk_perms;
+manage_files_pattern(ipsec_mgmt_t,ipsec_var_run_t,ipsec_var_run_t)
+manage_lnk_files_pattern(ipsec_mgmt_t,ipsec_var_run_t,ipsec_var_run_t)
-allow ipsec_mgmt_t ipsec_var_run_t:sock_file create_file_perms;
+allow ipsec_mgmt_t ipsec_var_run_t:sock_file manage_sock_file_perms;
files_pid_filetrans(ipsec_mgmt_t,ipsec_var_run_t,sock_file)
# _realsetup needs to be able to cat /var/run/pluto.pid,
# run ps on that pid, and delete the file
-allow ipsec_mgmt_t ipsec_t:{ file lnk_file } r_file_perms;
+read_files_pattern(ipsec_mgmt_t,ipsec_t,ipsec_t)
+read_lnk_files_pattern(ipsec_mgmt_t,ipsec_t,ipsec_t)
# logger, running in ipsec_mgmt_t needs to use sockets
allow ipsec_mgmt_t self:unix_dgram_socket { create connect write };
@@ -181,24 +180,18 @@ allow ipsec_mgmt_t ipsec_t:unix_dgram_socket { create connect write };
allow ipsec_mgmt_t ipsec_conf_file_t:file { getattr read ioctl };
-allow ipsec_mgmt_t ipsec_key_file_t:dir rw_dir_perms;
-allow ipsec_mgmt_t ipsec_key_file_t:lnk_file create_lnk_perms;
-allow ipsec_mgmt_t ipsec_key_file_t:file create_file_perms;
+manage_files_pattern(ipsec_mgmt_t,ipsec_key_file_t,ipsec_key_file_t)
+manage_lnk_files_pattern(ipsec_mgmt_t,ipsec_key_file_t,ipsec_key_file_t)
files_etc_filetrans(ipsec_mgmt_t,ipsec_key_file_t,file)
# whack needs to connect to pluto
-allow ipsec_mgmt_t ipsec_var_run_t:sock_file { read write };
-allow ipsec_mgmt_t ipsec_t:unix_stream_socket { connectto read write };
+stream_connect_pattern(ipsec_mgmt_t,ipsec_var_run_t,ipsec_var_run_t,ipsec_t)
can_exec(ipsec_mgmt_t, ipsec_exec_t)
can_exec(ipsec_mgmt_t, ipsec_mgmt_exec_t)
allow ipsec_mgmt_t ipsec_mgmt_exec_t:lnk_file read;
-domain_auto_trans(ipsec_mgmt_t,ipsec_exec_t,ipsec_t)
-allow ipsec_mgmt_t ipsec_t:fd use;
-allow ipsec_t ipsec_mgmt_t:fd use;
-allow ipsec_t ipsec_mgmt_t:fifo_file rw_file_perms;
-allow ipsec_t ipsec_mgmt_t:process sigchld;
+domtrans_pattern(ipsec_mgmt_t,ipsec_exec_t,ipsec_t)
kernel_rw_net_sysctls(ipsec_mgmt_t)
# allow pluto to access /proc/net/ipsec_eroute;
diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
index d81ec115..85f258d1 100644
--- a/policy/modules/system/iptables.if
+++ b/policy/modules/system/iptables.if
@@ -16,12 +16,7 @@ interface(`iptables_domtrans',`
')
corecmd_search_sbin($1)
- domain_auto_trans($1,iptables_exec_t,iptables_t)
-
- allow $1 iptables_t:fd use;
- allow iptables_t $1:fd use;
- allow iptables_t $1:fifo_file rw_file_perms;
- allow iptables_t $1:process sigchld;
+ domtrans_pattern($1,iptables_exec_t,iptables_t)
')
########################################
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index 611e2aed..911061f5 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -25,18 +25,17 @@ files_pid_file(iptables_var_run_t)
allow iptables_t self:capability { net_admin net_raw };
dontaudit iptables_t self:capability sys_tty_config;
allow iptables_t self:process { sigchld sigkill sigstop signull signal };
+allow iptables_t self:rawip_socket create_socket_perms;
allow iptables_t iptables_var_run_t:dir rw_dir_perms;
files_pid_filetrans(iptables_t,iptables_var_run_t,file)
can_exec(iptables_t,iptables_exec_t)
-allow iptables_t iptables_tmp_t:dir create_dir_perms;
-allow iptables_t iptables_tmp_t:file create_file_perms;
+allow iptables_t iptables_tmp_t:dir manage_dir_perms;
+allow iptables_t iptables_tmp_t:file manage_file_perms;
files_tmp_filetrans(iptables_t, iptables_tmp_t, { file dir })
-allow iptables_t self:rawip_socket create_socket_perms;
-
kernel_read_system_state(iptables_t)
kernel_read_network_state(iptables_t)
kernel_read_kernel_sysctls(iptables_t)
diff --git a/policy/modules/system/iscsi.if b/policy/modules/system/iscsi.if
index 12e8cfb0..b8e8f4a8 100644
--- a/policy/modules/system/iscsi.if
+++ b/policy/modules/system/iscsi.if
@@ -15,8 +15,5 @@ interface(`iscsid_domtrans',`
type iscsid_t, iscsid_exec_t;
')
- domain_auto_trans($1,iscsid_exec_t,iscsid_t)
- allow iscsid_t $1:fd use;
- allow iscsid_t $1:fifo_file rw_file_perms;
- allow iscsid_t $1:process sigchld;
+ domtrans_pattern($1,iscsid_exec_t,iscsid_t)
')
diff --git a/policy/modules/system/iscsi.te b/policy/modules/system/iscsi.te
index a18cbaba..bd231f6d 100644
--- a/policy/modules/system/iscsi.te
+++ b/policy/modules/system/iscsi.te
@@ -42,17 +42,16 @@ allow iscsid_t self:tcp_socket create_stream_socket_perms;
allow iscsid_t iscsi_lock_t:file manage_file_perms;
files_lock_filetrans(iscsid_t,iscsi_lock_t,file)
-allow iscsid_t iscsi_tmp_t:dir create_dir_perms;
-allow iscsid_t iscsi_tmp_t:file create_file_perms;
+allow iscsid_t iscsi_tmp_t:dir manage_dir_perms;
+allow iscsid_t iscsi_tmp_t:file manage_file_perms;
fs_tmpfs_filetrans(iscsid_t, iscsi_tmp_t, file )
allow iscsid_t iscsi_var_lib_t:dir list_dir_perms;
-allow iscsid_t iscsi_var_lib_t:file read_file_perms;
-allow iscsid_t iscsi_var_lib_t:lnk_file { getattr read };
+read_files_pattern(iscsid_t,iscsi_var_lib_t,iscsi_var_lib_t)
+read_lnk_files_pattern(iscsid_t,iscsi_var_lib_t,iscsi_var_lib_t)
files_search_var_lib(iscsid_t)
-allow iscsid_t iscsi_var_run_t:dir rw_dir_perms;
-allow iscsid_t iscsi_var_run_t:file manage_file_perms;
+manage_files_pattern(iscsid_t,iscsi_var_run_t,iscsi_var_run_t)
files_pid_filetrans(iscsid_t,iscsi_var_run_t,file)
corenet_non_ipsec_sendrecv(iscsid_t)
diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if
index 1be3f4e0..ad0bea89 100644
--- a/policy/modules/system/libraries.if
+++ b/policy/modules/system/libraries.if
@@ -16,12 +16,7 @@ interface(`libs_domtrans_ldconfig',`
')
corecmd_search_sbin($1)
- domain_auto_trans($1,ldconfig_exec_t,ldconfig_t)
-
- allow $1 ldconfig_t:fd use;
- allow ldconfig_t $1:fd use;
- allow ldconfig_t $1:fifo_file rw_file_perms;
- allow ldconfig_t $1:process sigchld;
+ domtrans_pattern($1,ldconfig_exec_t,ldconfig_t)
')
########################################
@@ -72,11 +67,12 @@ interface(`libs_use_ld_so',`
')
files_list_etc($1)
- allow $1 lib_t:dir r_dir_perms;
- allow $1 lib_t:lnk_file r_file_perms;
- allow $1 ld_so_t:lnk_file r_file_perms;
- allow $1 ld_so_t:file rx_file_perms;
- allow $1 ld_so_cache_t:file r_file_perms;
+ allow $1 lib_t:dir list_dir_perms;
+
+ read_lnk_files_pattern($1,lib_t,{ lib_t ld_so_t })
+ mmap_files_pattern($1,lib_t,ld_so_t)
+
+ allow $1 ld_so_cache_t:file read_file_perms;
')
########################################
@@ -115,10 +111,9 @@ interface(`libs_exec_ld_so',`
type lib_t, ld_so_t;
')
- allow $1 lib_t:dir r_dir_perms;
- allow $1 lib_t:lnk_file r_file_perms;
- allow $1 ld_so_t:lnk_file r_file_perms;
- can_exec($1,ld_so_t)
+ allow $1 lib_t:dir list_dir_perms;
+ read_lnk_files_pattern($1,lib_t,{ lib_t ld_so_t })
+ exec_files_pattern($1,lib_t,ld_so_t)
')
########################################
@@ -138,8 +133,7 @@ interface(`libs_manage_ld_so',`
type lib_t, ld_so_t;
')
- allow $1 lib_t:dir rw_dir_perms;
- allow $1 ld_so_t:file manage_file_perms;
+ manage_files_pattern($1,lib_t,ld_so_t)
')
########################################
@@ -159,8 +153,7 @@ interface(`libs_relabel_ld_so',`
type lib_t, ld_so_t;
')
- allow $1 lib_t:dir search_dir_perms;
- allow $1 ld_so_t:file { relabelfrom relabelto };
+ relabel_files_pattern($1,lib_t,ld_so_t)
')
########################################
@@ -198,7 +191,7 @@ interface(`libs_search_lib',`
type lib_t;
')
- allow $1 lib_t:dir search;
+ allow $1 lib_t:dir search_dir_perms;
')
########################################
@@ -261,8 +254,9 @@ interface(`libs_read_lib_files',`
')
files_search_usr($1)
- allow $1 lib_t:dir r_dir_perms;
- allow $1 lib_t:{ file lnk_file } r_file_perms;
+ list_dirs_pattern($1,lib_t,lib_t)
+ read_files_pattern($1,lib_t,lib_t)
+ read_lnk_files_pattern($1,lib_t,lib_t)
')
########################################
@@ -281,9 +275,9 @@ interface(`libs_exec_lib_files',`
')
files_search_usr($1)
- allow $1 lib_t:dir r_dir_perms;
- allow $1 lib_t:lnk_file r_file_perms;
- can_exec($1,lib_t)
+ allow $1 lib_t:dir list_dir_perms;
+ read_lnk_files_pattern($1,lib_t,lib_t)
+ exec_files_pattern($1,lib_t,lib_t)
')
########################################
@@ -303,9 +297,9 @@ interface(`libs_use_lib_files',`
')
files_list_usr($1)
- allow $1 lib_t:dir r_dir_perms;
- allow $1 lib_t:lnk_file r_file_perms;
- allow $1 lib_t:file rx_file_perms;
+ allow $1 lib_t:dir list_dir_perms;
+ read_lnk_files_pattern($1,lib_t,lib_t)
+ mmap_files_pattern($1,lib_t,lib_t)
')
########################################
@@ -325,8 +319,7 @@ interface(`libs_manage_lib_files',`
type lib_t;
')
- allow $1 lib_t:dir rw_dir_perms;
- allow $1 lib_t:file manage_file_perms;
+ manage_files_pattern($1,lib_t,lib_t)
')
########################################
@@ -344,8 +337,7 @@ interface(`libs_relabelto_lib_files',`
type lib_t;
')
- allow $1 lib_t:dir search_dir_perms;
- allow $1 lib_t:file relabelto;
+ relabelto_files_pattern($1,lib_t,lib_t)
')
########################################
@@ -365,8 +357,7 @@ interface(`libs_relabel_lib_files',`
type lib_t;
')
- allow $1 lib_t:dir search_dir_perms;
- allow $1 lib_t:file { relabelfrom relabelto };
+ relabel_files_pattern($1,lib_t,lib_t)
')
########################################
@@ -385,8 +376,7 @@ interface(`libs_delete_lib_symlinks',`
type lib_t;
')
- allow $1 lib_t:dir { getattr search read write remove_name };
- allow $1 lib_t:lnk_file unlink;
+ delete_lnk_files_pattern($1,lib_t,lib_t)
')
########################################
@@ -405,8 +395,7 @@ interface(`libs_manage_shared_libs',`
type lib_t, shlib_t, textrel_shlib_t;
')
- allow $1 lib_t:dir rw_dir_perms;
- allow $1 { shlib_t textrel_shlib_t }:file manage_file_perms;
+ manage_files_pattern($1,lib_t,{ shlib_t textrel_shlib_t })
')
########################################
@@ -425,10 +414,9 @@ interface(`libs_use_shared_libs',`
')
files_list_usr($1)
- allow $1 lib_t:dir r_dir_perms;
- allow $1 lib_t:lnk_file r_file_perms;
- allow $1 { shlib_t textrel_shlib_t }:lnk_file r_file_perms;
- allow $1 { shlib_t textrel_shlib_t }:file rx_file_perms;
+ allow $1 lib_t:dir list_dir_perms;
+ read_lnk_files_pattern($1,lib_t,{ lib_t shlib_t textrel_shlib_t })
+ mmap_files_pattern($1,lib_t,{ shlib_t textrel_shlib_t })
allow $1 textrel_shlib_t:file execmod;
')
@@ -469,8 +457,7 @@ interface(`libs_relabel_shared_libs',`
type lib_t, shlib_t, textrel_shlib_t;
')
- allow $1 lib_t:dir search_dir_perms;
- allow $1 { shlib_t textrel_shlib_t }:file { relabelfrom relabelto };
+ relabel_files_pattern($1,lib_t,{ shlib_t textrel_shlib_t })
')
########################################
@@ -491,9 +478,8 @@ interface(`libs_relabel_shared_libs',`
#
interface(`files_lib_filetrans_shared_lib',`
gen_require(`
- type root_t;
+ type lib_t, shlib_t;
')
- allow $1 root_t:dir rw_dir_perms;
- type_transition $1 root_t:$2 shlib_t;
+ filetrans_pattern($1,lib_t,shlib_t,$2)
')
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
index 8b7ed0cd..6f49c4b1 100644
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
@@ -51,16 +51,10 @@ type ldconfig_exec_t;
init_system_domain(ldconfig_t,ldconfig_exec_t)
role system_r types ldconfig_t;
-allow ldconfig_t ld_so_cache_t:file create_file_perms;
+allow ldconfig_t ld_so_cache_t:file manage_file_perms;
files_etc_filetrans(ldconfig_t,ld_so_cache_t,file)
-allow ldconfig_t lib_t:dir rw_dir_perms;
-allow ldconfig_t lib_t:lnk_file { getattr create read unlink };
-allow ldconfig_t ld_so_t:lnk_file r_file_perms;
-allow ldconfig_t ld_so_t:file rx_file_perms;
-allow ldconfig_t ld_so_cache_t:file r_file_perms;
-allow ldconfig_t { shlib_t textrel_shlib_t }:lnk_file r_file_perms;
-allow ldconfig_t { shlib_t textrel_shlib_t }:file rx_file_perms;
+manage_lnk_files_pattern(ldconfig_t,lib_t,lib_t)
kernel_read_system_state(ldconfig_t)
@@ -77,6 +71,9 @@ files_delete_etc_files(ldconfig_t)
init_use_script_ptys(ldconfig_t)
+libs_use_ld_so(ldconfig_t)
+libs_use_shared_libs(ldconfig_t)
+
logging_send_syslog_msg(ldconfig_t)
userdom_use_all_users_fds(ldconfig_t)
@@ -88,7 +85,7 @@ ifdef(`hide_broken_symptoms',`
')
ifdef(`targeted_policy',`
- allow ldconfig_t lib_t:file r_file_perms;
+ allow ldconfig_t lib_t:file read_file_perms;
unconfined_domain(ldconfig_t)
')
diff --git a/policy/modules/system/locallogin.if b/policy/modules/system/locallogin.if
index 8f5a1cd9..db32b2ed 100644
--- a/policy/modules/system/locallogin.if
+++ b/policy/modules/system/locallogin.if
@@ -94,7 +94,6 @@ interface(`locallogin_search_keys',`
allow $1 local_login_t:key search;
')
-
########################################
##
## Allow link to the local_login key ring.
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
index 8f8faa9b..37c70a6b 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -49,11 +49,11 @@ allow local_login_t self:msgq create_msgq_perms;
allow local_login_t self:msg { send receive };
allow local_login_t self:key { search write link };
-allow local_login_t local_login_lock_t:file create_file_perms;
+allow local_login_t local_login_lock_t:file manage_file_perms;
files_lock_filetrans(local_login_t,local_login_lock_t,file)
-allow local_login_t local_login_tmp_t:dir create_dir_perms;
-allow local_login_t local_login_tmp_t:file create_file_perms;
+allow local_login_t local_login_tmp_t:dir manage_dir_perms;
+allow local_login_t local_login_tmp_t:file manage_file_perms;
files_tmp_filetrans(local_login_t, local_login_tmp_t, { file dir })
kernel_read_system_state(local_login_t)
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index bdcf8608..44f6b5a1 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -39,8 +39,8 @@ interface(`logging_read_audit_log',`
')
files_search_var($1)
- allow $1 auditd_log_t:dir r_dir_perms;
- allow $1 auditd_log_t:file r_file_perms;
+ read_files_pattern($1,auditd_log_t,auditd_log_t)
+ allow $1 auditd_log_t:dir list_dir_perms;
')
########################################
@@ -58,12 +58,7 @@ interface(`logging_domtrans_auditctl',`
type auditctl_t, auditctl_exec_t;
')
- domain_auto_trans($1,auditctl_exec_t,auditctl_t)
-
- allow $1 auditctl_t:fd use;
- allow auditctl_t $1:fd use;
- allow auditctl_t $1:fifo_file rw_file_perms;
- allow auditctl_t $1:process sigchld;
+ domtrans_pattern($1,auditctl_exec_t,auditctl_t)
')
########################################
@@ -113,11 +108,7 @@ interface(`logging_domtrans_auditd',`
type auditd_t, auditd_exec_t;
')
- domain_auto_trans($1,auditd_exec_t,auditd_t)
-
- allow auditd_t $1:fd use;
- allow auditd_t $1:fifo_file rw_file_perms;
- allow auditd_t $1:process sigchld;
+ domtrans_pattern($1,auditd_exec_t,auditd_t)
')
########################################
@@ -167,9 +158,7 @@ interface(`logging_stream_connect_auditd',`
')
files_search_pids($1)
- allow $1 auditd_var_run_t:dir search_dir_perms;
- allow $1 auditd_var_run_t:sock_file rw_file_perms;
- allow $1 auditd_t:unix_stream_socket connectto;
+ stream_connect_pattern($1,auditd_var_run_t,auditd_var_run_t,auditd_t)
')
########################################
@@ -189,8 +178,7 @@ interface(`logging_manage_audit_config',`
')
files_search_etc($1)
- allow $1 auditd_etc_t:dir rw_dir_perms;
- allow $1 auditd_etc_t:file manage_file_perms;
+ manage_files_pattern($1,auditd_etc_t,auditd_etc_t)
')
########################################
@@ -210,8 +198,8 @@ interface(`logging_manage_audit_log',`
')
files_search_var($1)
- allow $1 auditd_log_t:dir create_dir_perms;
- allow $1 auditd_log_t:file create_file_perms;
+ manage_dirs_pattern($1,auditd_log_t,auditd_log_t)
+ manage_files_pattern($1,auditd_log_t,auditd_log_t)
')
########################################
@@ -230,12 +218,7 @@ interface(`logging_domtrans_syslog',`
')
corecmd_search_sbin($1)
- domain_auto_trans($1,syslogd_exec_t,syslogd_t)
-
- allow $1 syslogd_t:fd use;
- allow syslogd_t $1:fd use;
- allow syslogd_t $1:fifo_file rw_file_perms;
- allow syslogd_t $1:process sigchld;
+ domtrans_pattern($1,syslogd_exec_t,syslogd_t)
')
########################################
@@ -265,8 +248,7 @@ interface(`logging_log_filetrans',`
')
files_search_var($1)
- allow $1 var_log_t:dir rw_dir_perms;
- type_transition $1 var_log_t:$3 $2;
+ filetrans_pattern($1,var_log_t,$2,$3)
')
########################################
@@ -314,8 +296,8 @@ interface(`logging_read_audit_config',`
')
files_search_etc($1)
- allow $1 auditd_etc_t:dir r_dir_perms;
- allow $1 auditd_etc_t:file r_file_perms;
+ read_files_pattern($1,auditd_etc_t,auditd_etc_t)
+ allow $1 auditd_etc_t:dir list_dir_perms;
')
########################################
@@ -373,7 +355,7 @@ interface(`logging_list_logs',`
')
files_search_var($1)
- allow $1 var_log_t:dir r_dir_perms;
+ allow $1 var_log_t:dir list_dir_perms;
')
#######################################
@@ -431,7 +413,7 @@ interface(`logging_append_all_logs',`
')
files_search_var($1)
- allow $1 var_log_t:dir r_dir_perms;
+ allow $1 var_log_t:dir list_dir_perms;
allow $1 logfile:file { getattr append };
')
@@ -453,8 +435,8 @@ interface(`logging_read_all_logs',`
')
files_search_var($1)
- allow $1 var_log_t:dir r_dir_perms;
- allow $1 logfile:file r_file_perms;
+ allow $1 var_log_t:dir list_dir_perms;
+ read_files_pattern($1,var_log_t,logfile)
')
########################################
@@ -475,7 +457,7 @@ interface(`logging_exec_all_logs',`
')
files_search_var($1)
- allow $1 logfile:dir r_dir_perms;
+ allow $1 logfile:dir list_dir_perms;
can_exec($1,logfile)
')
@@ -496,9 +478,8 @@ interface(`logging_manage_all_logs',`
')
files_search_var($1)
- allow $1 logfile:dir rw_dir_perms;
- allow $1 logfile:lnk_file read;
- allow $1 logfile:file create_file_perms;
+ manage_files_pattern($1,logfile,logfile)
+ read_lnk_files_pattern($1,logfile,logfile)
')
########################################
@@ -518,8 +499,8 @@ interface(`logging_read_generic_logs',`
')
files_search_var($1)
- allow $1 var_log_t:dir r_dir_perms;
- allow $1 var_log_t:file r_file_perms;
+ allow $1 var_log_t:dir list_dir_perms;
+ read_files_pattern($1,var_log_t,var_log_t)
')
########################################
@@ -538,8 +519,8 @@ interface(`logging_write_generic_logs',`
')
files_search_var($1)
- allow $1 var_log_t:dir r_dir_perms;
- allow $1 var_log_t:file { getattr write };
+ allow $1 var_log_t:dir list_dir_perms;
+ write_files_pattern($1,var_log_t,var_log_t)
')
########################################
@@ -558,8 +539,8 @@ interface(`logging_rw_generic_logs',`
')
files_search_var($1)
- allow $1 var_log_t:dir r_dir_perms;
- allow $1 var_log_t:file rw_file_perms;
+ allow $1 var_log_t:dir list_dir_perms;
+ rw_files_pattern($1,var_log_t,var_log_t)
')
########################################
@@ -580,6 +561,5 @@ interface(`logging_manage_generic_logs',`
')
files_search_var($1)
- allow $1 var_log_t:dir rw_dir_perms;
- allow $1 var_log_t:file create_file_perms;
+ manage_files_pattern($1,var_log_t,var_log_t)
')
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index b7bf0ade..b185f849 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -67,13 +67,8 @@ ifdef(`enable_mls',`
allow auditctl_t self:capability { audit_write audit_control };
allow auditctl_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };
-libs_use_ld_so(auditctl_t)
-libs_use_shared_libs(auditctl_t)
-
-allow auditctl_t etc_t:file { getattr read };
-
-allow auditctl_t auditd_etc_t:dir r_dir_perms;
-allow auditctl_t auditd_etc_t:file r_file_perms;
+read_files_pattern(auditctl_t,auditd_etc_t,auditd_etc_t)
+allow auditctl_t auditd_etc_t:dir list_dir_perms;
# Needed for adding watches
files_getattr_all_dirs(auditctl_t)
@@ -92,6 +87,9 @@ term_use_all_terms(auditctl_t)
init_use_script_ptys(auditctl_t)
init_dontaudit_use_fds(auditctl_t)
+libs_use_ld_so(auditctl_t)
+libs_use_shared_libs(auditctl_t)
+
locallogin_dontaudit_use_fds(auditctl_t)
logging_send_syslog_msg(auditctl_t)
@@ -114,17 +112,15 @@ allow auditd_t self:unix_dgram_socket create_socket_perms;
allow auditd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };
allow auditd_t self:fifo_file rw_file_perms;
-allow auditd_t auditd_etc_t:dir r_dir_perms;
+allow auditd_t auditd_etc_t:dir list_dir_perms;
allow auditd_t auditd_etc_t:file r_file_perms;
-allow auditd_t auditd_log_t:dir rw_dir_perms;
-allow auditd_t auditd_log_t:file create_file_perms;
-allow auditd_t auditd_log_t:lnk_file create_lnk_perms;
-allow auditd_t var_log_t:dir search;
+manage_files_pattern(auditd_t,auditd_log_t,auditd_log_t)
+manage_lnk_files_pattern(auditd_t,auditd_log_t,auditd_log_t)
+allow auditd_t var_log_t:dir search_dir_perms;
-allow auditd_t auditd_var_run_t:sock_file manage_file_perms;
-allow auditd_t auditd_var_run_t:file manage_file_perms;
-allow auditd_t auditd_var_run_t:dir rw_dir_perms;
+manage_files_pattern(auditd_t,auditd_var_run_t,auditd_var_run_t)
+manage_sock_files_pattern(auditd_t,auditd_var_run_t,auditd_var_run_t)
files_pid_filetrans(auditd_t,auditd_var_run_t,{ file sock_file })
kernel_read_kernel_sysctls(auditd_t)
@@ -199,12 +195,11 @@ allow klogd_t self:capability sys_admin;
dontaudit klogd_t self:capability { sys_resource sys_tty_config };
allow klogd_t self:process signal_perms;
-allow klogd_t klogd_tmp_t:file create_file_perms;
-allow klogd_t klogd_tmp_t:dir create_dir_perms;
+manage_dirs_pattern(klogd_t,klogd_tmp_t,klogd_tmp_t)
+manage_files_pattern(klogd_t,klogd_tmp_t,klogd_tmp_t)
files_tmp_filetrans(klogd_t,klogd_tmp_t,{ file dir })
-allow klogd_t klogd_var_run_t:file create_file_perms;
-allow klogd_t klogd_var_run_t:dir rw_dir_perms;
+manage_files_pattern(klogd_t,klogd_var_run_t,klogd_var_run_t)
files_pid_filetrans(klogd_t,klogd_var_run_t,file)
kernel_read_system_state(klogd_t)
@@ -278,26 +273,24 @@ allow syslogd_t self:fifo_file rw_file_perms;
allow syslogd_t self:udp_socket create_socket_perms;
# Create and bind to /dev/log or /var/run/log.
-allow syslogd_t devlog_t:sock_file create_file_perms;
+allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
files_pid_filetrans(syslogd_t,devlog_t,sock_file)
# create/append log files.
-allow syslogd_t var_log_t:dir rw_dir_perms;
-allow syslogd_t var_log_t:file create_file_perms;
+manage_files_pattern(syslogd_t,var_log_t,var_log_t)
# Allow access for syslog-ng
allow syslogd_t var_log_t:dir { create setattr };
# manage temporary files
-allow syslogd_t syslogd_tmp_t:file create_file_perms;
-allow syslogd_t syslogd_tmp_t:dir create_dir_perms;
+manage_dirs_pattern(syslogd_t,syslogd_tmp_t,syslogd_tmp_t)
+manage_files_pattern(syslogd_t,syslogd_tmp_t,syslogd_tmp_t)
files_tmp_filetrans(syslogd_t,syslogd_tmp_t,{ dir file })
-allow syslogd_t syslogd_var_run_t:file create_file_perms;
+allow syslogd_t syslogd_var_run_t:file manage_file_perms;
files_pid_filetrans(syslogd_t,syslogd_var_run_t,file)
# manage pid file
-allow syslogd_t syslogd_var_run_t:file create_file_perms;
-allow syslogd_t syslogd_var_run_t:dir rw_dir_perms;
+manage_files_pattern(syslogd_t,syslogd_var_run_t,syslogd_var_run_t)
files_pid_filetrans(syslogd_t,syslogd_var_run_t,file)
kernel_read_kernel_sysctls(syslogd_t)
diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if
index 94e3014e..a4bd4f3c 100644
--- a/policy/modules/system/lvm.if
+++ b/policy/modules/system/lvm.if
@@ -16,12 +16,7 @@ interface(`lvm_domtrans',`
')
corecmd_search_sbin($1)
- domain_auto_trans($1, lvm_exec_t, lvm_t)
-
- allow $1 lvm_t:fd use;
- allow lvm_t $1:fd use;
- allow lvm_t $1:fifo_file rw_file_perms;
- allow lvm_t $1:process sigchld;
+ domtrans_pattern($1, lvm_exec_t, lvm_t)
')
########################################
@@ -72,7 +67,6 @@ interface(`lvm_read_config',`
')
files_search_etc($1)
- allow $1 lvm_etc_t:dir r_dir_perms;
- allow $1 lvm_etc_t:file r_file_perms;
+ allow $1 lvm_etc_t:dir list_dir_perms;
+ read_files_pattern($1,lvm_etc_t,lvm_etc_t)
')
-
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index f7879685..4f679404 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -47,17 +47,15 @@ files_tmp_file(lvm_tmp_t)
dontaudit clvmd_t self:capability sys_tty_config;
allow clvmd_t self:process signal_perms;
allow clvmd_t self:socket create_socket_perms;
-allow clvmd_t self:fifo_file rw_file_perms;
+allow clvmd_t self:fifo_file rw_fifo_file_perms;
allow clvmd_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow clvmd_t self:tcp_socket create_stream_socket_perms;
allow clvmd_t self:udp_socket create_socket_perms;
-allow clvmd_t clvmd_var_run_t:file create_file_perms;
-allow clvmd_t clvmd_var_run_t:dir rw_dir_perms;
+manage_files_pattern(clvmd_t,clvmd_var_run_t,clvmd_var_run_t)
files_pid_filetrans(clvmd_t,clvmd_var_run_t,file)
-allow clvmd_t lvm_metadata_t:dir search_dir_perms;
-allow clvmd_t lvm_metadata_t:file { getattr read };
+read_files_pattern(clvmd_t,lvm_metadata_t,lvm_metadata_t)
kernel_read_kernel_sysctls(clvmd_t)
kernel_read_system_state(clvmd_t)
@@ -159,38 +157,35 @@ allow lvm_t self:fifo_file rw_file_perms;
allow lvm_t self:unix_dgram_socket create_socket_perms;
allow lvm_t self:netlink_kobject_uevent_socket create_socket_perms;
-allow lvm_t lvm_tmp_t:dir create_dir_perms;
-allow lvm_t lvm_tmp_t:file create_file_perms;
+manage_dirs_pattern(lvm_t,lvm_tmp_t,lvm_tmp_t)
+manage_files_pattern(lvm_t,lvm_tmp_t,lvm_tmp_t)
files_tmp_filetrans(lvm_t, lvm_tmp_t, { file dir })
# /lib/lvm- holds the actual LVM binaries (and symlinks)
-allow lvm_t lvm_exec_t:dir search;
-allow lvm_t lvm_exec_t:{ file lnk_file } r_file_perms;
+read_files_pattern(lvm_t,lvm_exec_t,lvm_exec_t)
+read_lnk_files_pattern(lvm_t,lvm_exec_t,lvm_exec_t)
# LVM is split into many individual binaries
can_exec(lvm_t, lvm_exec_t)
# Creating lock files
-allow lvm_t lvm_lock_t:dir rw_dir_perms;
-allow lvm_t lvm_lock_t:file create_file_perms;
+manage_files_pattern(lvm_t,lvm_lock_t,lvm_lock_t)
files_lock_filetrans(lvm_t,lvm_lock_t,file)
-allow lvm_t lvm_var_lib_t:dir manage_dir_perms;
-allow lvm_t lvm_var_lib_t:file manage_file_perms;
+manage_dirs_pattern(lvm_t,lvm_var_lib_t,lvm_var_lib_t)
+manage_files_pattern(lvm_t,lvm_var_lib_t,lvm_var_lib_t)
files_var_lib_filetrans(lvm_t,lvm_var_lib_t,{ dir file })
-allow lvm_t lvm_var_run_t:file manage_file_perms;
-allow lvm_t lvm_var_run_t:sock_file manage_file_perms;
-allow lvm_t lvm_var_run_t:dir manage_dir_perms;
+manage_dirs_pattern(lvm_t,lvm_var_run_t,lvm_var_run_t)
+manage_files_pattern(lvm_t,lvm_var_run_t,lvm_var_run_t)
+manage_sock_files_pattern(lvm_t,lvm_var_run_t,lvm_var_run_t)
files_pid_filetrans(lvm_t,lvm_var_run_t,{ file sock_file })
-allow lvm_t lvm_etc_t:file r_file_perms;
-allow lvm_t lvm_etc_t:lnk_file r_file_perms;
+read_files_pattern(lvm_t,lvm_etc_t,lvm_etc_t)
+read_lnk_files_pattern(lvm_t,lvm_etc_t,lvm_etc_t)
# Write to /etc/lvm, /etc/lvmtab, /etc/lvmtab.d
-allow lvm_t lvm_etc_t:dir rw_dir_perms;
-allow lvm_t lvm_metadata_t:file create_file_perms;
-allow lvm_t lvm_metadata_t:dir rw_dir_perms;
-type_transition lvm_t lvm_etc_t:file lvm_metadata_t;
+manage_files_pattern(lvm_t,lvm_metadata_t,lvm_metadata_t)
+filetrans_pattern(lvm_t,lvm_etc_t,lvm_metadata_t,file)
files_etc_filetrans(lvm_t,lvm_metadata_t,file)
kernel_read_system_state(lvm_t)
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
index bcaddcd8..276ad3c7 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@@ -16,9 +16,9 @@ interface(`miscfiles_read_certs',`
type cert_t;
')
- allow $1 cert_t:dir r_dir_perms;
- allow $1 cert_t:file r_file_perms;
- allow $1 cert_t:lnk_file { getattr read };
+ allow $1 cert_t:dir list_dir_perms;
+ read_files_pattern($1,cert_t,cert_t)
+ read_lnk_files_pattern($1,cert_t,cert_t)
')
########################################
@@ -41,9 +41,9 @@ interface(`miscfiles_read_fonts',`
files_search_usr($1)
libs_search_lib($1)
- allow $1 fonts_t:dir r_dir_perms;
- allow $1 fonts_t:file r_file_perms;
- allow $1 fonts_t:lnk_file { getattr read };
+ allow $1 fonts_t:dir list_dir_perms;
+ read_files_pattern($1,fonts_t,fonts_t)
+ read_lnk_files_pattern($1,fonts_t,fonts_t)
')
########################################
@@ -66,9 +66,9 @@ interface(`miscfiles_manage_fonts',`
files_search_usr($1)
libs_search_lib($1)
- allow $1 fonts_t:dir create_dir_perms;
- allow $1 fonts_t:file create_file_perms;
- allow $1 fonts_t:lnk_file create_lnk_perms;
+ manage_dirs_pattern($1,fonts_t,fonts_t)
+ manage_files_pattern($1,fonts_t,fonts_t)
+ manage_lnk_files_pattern($1,fonts_t,fonts_t)
')
########################################
@@ -86,9 +86,9 @@ interface(`miscfiles_read_hwdata',`
type hwdata_t;
')
- allow $1 hwdata_t:dir r_dir_perms;
- allow $1 hwdata_t:file r_file_perms;
- allow $1 hwdata_t:lnk_file { getattr read };
+ allow $1 hwdata_t:dir list_dir_perms;
+ read_files_pattern($1,hwdata_t,hwdata_t)
+ read_lnk_files_pattern($1,hwdata_t,hwdata_t)
')
########################################
@@ -108,9 +108,9 @@ interface(`miscfiles_read_localization',`
files_read_etc_symlinks($1)
files_search_usr($1)
- allow $1 locale_t:dir r_dir_perms;
- allow $1 locale_t:lnk_file r_file_perms;
- allow $1 locale_t:file r_file_perms;
+ allow $1 locale_t:dir list_dir_perms;
+ read_files_pattern($1,locale_t,locale_t)
+ read_lnk_files_pattern($1,locale_t,locale_t)
# why?
libs_read_lib_files($1)
@@ -133,7 +133,7 @@ interface(`miscfiles_rw_localization',`
files_search_usr($1)
allow $1 locale_t:dir list_dir_perms;
- allow $1 locale_t:file rw_file_perms;
+ rw_files_pattern($1,locale_t,locale_t)
')
########################################
@@ -190,9 +190,9 @@ interface(`miscfiles_read_man_pages',`
')
files_search_usr($1)
- allow $1 man_t:dir r_dir_perms;
- allow $1 man_t:file r_file_perms;
- allow $1 man_t:lnk_file r_file_perms;
+ allow $1 man_t:dir list_dir_perms;
+ read_files_pattern($1,man_t,man_t)
+ read_lnk_files_pattern($1,man_t,man_t)
')
########################################
@@ -212,9 +212,11 @@ interface(`miscfiles_delete_man_pages',`
')
files_search_usr($1)
- allow $1 man_t:dir { setattr rw_dir_perms rmdir };
- allow $1 man_t:file { getattr unlink };
- allow $1 man_t:lnk_file { getattr unlink };
+
+ allow $1 man_t:dir setattr;
+ delete_dirs_pattern($1,man_t,man_t)
+ delete_files_pattern($1,man_t,man_t)
+ delete_lnk_files_pattern($1,man_t,man_t)
')
########################################
@@ -233,9 +235,9 @@ interface(`miscfiles_manage_man_pages',`
')
files_search_usr($1)
- allow $1 man_t:dir create_dir_perms;
- allow $1 man_t:file create_file_perms;
- allow $1 man_t:lnk_file r_file_perms;
+ manage_dirs_pattern($1,man_t,man_t)
+ manage_files_pattern($1,man_t,man_t)
+ read_lnk_files_pattern($1,man_t,man_t)
')
########################################
@@ -255,9 +257,9 @@ interface(`miscfiles_read_public_files',`
type public_content_t, public_content_rw_t;
')
- allow $1 { public_content_t public_content_rw_t }:dir r_dir_perms;
- allow $1 { public_content_t public_content_rw_t }:file r_file_perms;
- allow $1 { public_content_t public_content_rw_t }:lnk_file { getattr read };
+ allow $1 { public_content_t public_content_rw_t }:dir list_dir_perms;
+ read_files_pattern($1,{ public_content_t public_content_rw_t },{ public_content_t public_content_rw_t })
+ read_lnk_files_pattern($1,{ public_content_t public_content_rw_t },{ public_content_t public_content_rw_t })
')
########################################
@@ -277,9 +279,9 @@ interface(`miscfiles_manage_public_files',`
type public_content_rw_t;
')
- allow $1 public_content_rw_t:dir create_dir_perms;
- allow $1 public_content_rw_t:file create_file_perms;
- allow $1 public_content_rw_t:lnk_file create_lnk_perms;
+ manage_dirs_pattern($1,public_content_rw_t,public_content_rw_t)
+ manage_files_pattern($1,public_content_rw_t,public_content_rw_t)
+ manage_lnk_files_pattern($1,public_content_rw_t,public_content_rw_t)
')
########################################
@@ -301,9 +303,9 @@ interface(`miscfiles_read_tetex_data',`
files_search_var_lib($1)
# cjp: TeX data can be in either of the above dirs
- allow $1 tetex_data_t:dir r_dir_perms;
- allow $1 tetex_data_t:file r_file_perms;
- allow $1 tetex_data_t:lnk_file r_file_perms;
+ allow $1 tetex_data_t:dir list_dir_perms;
+ read_files_pattern($1,tetex_data_t,tetex_data_t)
+ read_lnk_files_pattern($1,tetex_data_t,tetex_data_t)
')
########################################
@@ -325,8 +327,8 @@ interface(`miscfiles_exec_tetex_data',`
files_search_var_lib($1)
# cjp: TeX data can be in either of the above dirs
- allow $1 tetex_data_t:dir r_dir_perms;
- can_exec($1,tetex_data_t)
+ allow $1 tetex_data_t:dir list_dir_perms;
+ exec_files_pattern($1,tetex_data_t,tetex_data_t)
')
########################################
@@ -363,9 +365,8 @@ interface(`miscfiles_read_test_files',`
type test_file_t;
')
- allow $1 test_file_t:dir r_dir_perms;
- allow $1 test_file_t:file r_file_perms;
- allow $1 test_file_t:lnk_file r_file_perms;
+ read_files_pattern($1,test_file_t,test_file_t)
+ read_lnk_files_pattern($1,test_file_t,test_file_t)
')
########################################
@@ -383,7 +384,6 @@ interface(`miscfiles_exec_test_files',`
type test_file_t;
')
- allow $1 test_file_t:dir r_dir_perms;
- allow $1 test_file_t:lnk_file r_file_perms;
- can_exec($1, test_file_t)
+ exec_files_pattern($1,test_file_t,test_file_t)
+ read_lnk_files_pattern($1,test_file_t,test_file_t)
')
diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if
index 415ce866..3dea9a10 100644
--- a/policy/modules/system/modutils.if
+++ b/policy/modules/system/modutils.if
@@ -16,7 +16,7 @@ interface(`modutils_read_module_deps',`
')
files_list_kernel_modules($1)
- allow $1 modules_dep_t:file r_file_perms;
+ allow $1 modules_dep_t:file read_file_perms;
')
########################################
@@ -41,7 +41,8 @@ interface(`modutils_read_module_config',`
files_search_etc($1)
files_search_boot($1)
- allow $1 modules_conf_t:{ file lnk_file } r_file_perms;
+ allow $1 modules_conf_t:file read_file_perms;
+ allow $1 modules_conf_t:lnk_file read_lnk_file_perms;
')
########################################
@@ -60,7 +61,7 @@ interface(`modutils_rename_module_config',`
type modules_conf_t;
')
- allow $1 modules_conf_t:file rename;
+ allow $1 modules_conf_t:file rename_file_perms;
')
########################################
@@ -81,12 +82,7 @@ interface(`modutils_domtrans_insmod_uncond',`
')
corecmd_search_sbin($1)
- domain_auto_trans($1, insmod_exec_t, insmod_t)
-
- allow $1 insmod_t:fd use;
- allow insmod_t $1:fd use;
- allow insmod_t $1:fifo_file rw_file_perms;
- allow insmod_t $1:process sigchld;
+ domtrans_pattern($1, insmod_exec_t, insmod_t)
')
########################################
@@ -178,12 +174,7 @@ interface(`modutils_domtrans_depmod',`
')
corecmd_search_sbin($1)
- domain_auto_trans($1, depmod_exec_t, depmod_t)
-
- allow $1 depmod_t:fd use;
- allow depmod_t $1:fd use;
- allow depmod_t $1:fifo_file rw_file_perms;
- allow depmod_t $1:process sigchld;
+ domtrans_pattern($1, depmod_exec_t, depmod_t)
')
########################################
@@ -252,12 +243,7 @@ interface(`modutils_domtrans_update_mods',`
')
corecmd_search_sbin($1)
- domain_auto_trans($1, update_modules_exec_t, update_modules_t)
-
- allow $1 update_modules_t:fd use;
- allow update_modules_t $1:fd use;
- allow update_modules_t $1:fifo_file rw_file_perms;
- allow update_modules_t $1:process sigchld;
+ domtrans_pattern($1, update_modules_exec_t, update_modules_t)
')
########################################
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index 5c7b59ea..81e2f209 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -170,9 +170,9 @@ optional_policy(`
can_exec(depmod_t, depmod_exec_t)
# Read conf.modules.
-allow depmod_t modules_conf_t:file r_file_perms;
+allow depmod_t modules_conf_t:file read_file_perms;
-allow depmod_t modules_dep_t:file create_file_perms;
+allow depmod_t modules_dep_t:file manage_file_perms;
files_kernel_modules_filetrans(depmod_t,modules_dep_t,file)
kernel_read_system_state(depmod_t)
@@ -220,7 +220,7 @@ optional_policy(`
# update-modules local policy
#
-allow update_modules_t self:fifo_file rw_file_perms;
+allow update_modules_t self:fifo_file rw_fifo_file_perms;
allow update_modules_t modules_dep_t:file rw_file_perms;
@@ -228,7 +228,7 @@ can_exec(update_modules_t, insmod_exec_t)
can_exec(update_modules_t, update_modules_exec_t)
# manage module loading configuration
-allow update_modules_t modules_conf_t:file create_file_perms;
+allow update_modules_t modules_conf_t:file manage_file_perms;
files_kernel_modules_filetrans(update_modules_t,modules_conf_t,file)
files_etc_filetrans(update_modules_t,modules_conf_t,file)
@@ -239,8 +239,8 @@ allow depmod_t update_modules_t:fd use;
allow depmod_t update_modules_t:fifo_file rw_file_perms;
allow depmod_t update_modules_t:process sigchld;
-allow update_modules_t update_modules_tmp_t:dir create_dir_perms;
-allow update_modules_t update_modules_tmp_t:file create_file_perms;
+manage_dirs_pattern(update_modules_t,update_modules_tmp_t,update_modules_tmp_t)
+manage_files_pattern(update_modules_t,update_modules_tmp_t,update_modules_tmp_t)
files_tmp_filetrans(update_modules_t, update_modules_tmp_t, { file dir })
kernel_read_kernel_sysctls(update_modules_t)
diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
index 19f3dffd..e39a5e9f 100644
--- a/policy/modules/system/mount.if
+++ b/policy/modules/system/mount.if
@@ -15,12 +15,7 @@ interface(`mount_domtrans',`
type mount_t, mount_exec_t;
')
- domain_auto_trans($1,mount_exec_t,mount_t)
-
- allow $1 mount_t:fd use;
- allow mount_t $1:fd use;
- allow mount_t $1:fifo_file rw_file_perms;
- allow mount_t $1:process sigchld;
+ domtrans_pattern($1,mount_exec_t,mount_t)
')
########################################
@@ -71,10 +66,11 @@ interface(`mount_exec',`
type mount_exec_t;
')
- allow $1 mount_exec_t:dir r_dir_perms;
- allow $1 mount_exec_t:lnk_file r_file_perms;
- can_exec($1,mount_exec_t)
+ # cjp: this should be removed:
+ allow $1 mount_exec_t:dir list_dir_perms;
+ allow $1 mount_exec_t:lnk_file read_lnk_file_perms;
+ can_exec($1,mount_exec_t)
')
########################################
@@ -137,13 +133,13 @@ interface(`mount_domtrans_unconfined',`
type unconfined_mount_t, mount_exec_t;
')
- domain_auto_trans($1,mount_exec_t,unconfined_mount_t)
+ domtrans_pattern($1,mount_exec_t,unconfined_mount_t)
allow $1 unconfined_mount_t:fd use;
allow unconfined_mount_t $1:fd use;
allow unconfined_mount_t $1:fifo_file rw_file_perms;
allow unconfined_mount_t $1:process sigchld;
',`
- refpolicywarn(`$0($1) has no effect in strict policy.')
+ mount_domtrans($1)
')
')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 7c0a391e..7d4b8a82 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -31,13 +31,14 @@ ifdef(`targeted_policy',`
# setuid/setgid needed to mount cifs
allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid };
-allow mount_t mount_loopback_t:file r_file_perms;
+allow mount_t mount_loopback_t:file read_file_perms;
allow mount_t self:netlink_route_socket r_netlink_socket_perms;
+allow mount_t mount_tmp_t:file manage_file_perms;
+allow mount_t mount_tmp_t:dir manage_dir_perms;
+
can_exec(mount_t, mount_exec_t)
-allow mount_t mount_tmp_t:file create_file_perms;
-allow mount_t mount_tmp_t:dir create_dir_perms;
files_tmp_filetrans(mount_t,mount_tmp_t,{ file dir })
kernel_read_system_state(mount_t)
diff --git a/policy/modules/system/netlabel.if b/policy/modules/system/netlabel.if
index 2cb4b551..93f472d5 100644
--- a/policy/modules/system/netlabel.if
+++ b/policy/modules/system/netlabel.if
@@ -16,10 +16,7 @@ interface(`netlabel_domtrans_mgmt',`
')
corecmd_search_sbin($1)
- domain_auto_trans($1,netlabel_mgmt_exec_t,netlabel_mgmt_t)
- allow netlabel_mgmt_t $1:fd use;
- allow netlabel_mgmt_t $1:fifo_file rw_file_perms;
- allow netlabel_mgmt_t $1:process sigchld;
+ domtrans_pattern($1,netlabel_mgmt_exec_t,netlabel_mgmt_t)
')
########################################
diff --git a/policy/modules/system/pcmcia.if b/policy/modules/system/pcmcia.if
index 1a010593..4932c0b9 100644
--- a/policy/modules/system/pcmcia.if
+++ b/policy/modules/system/pcmcia.if
@@ -31,12 +31,7 @@ interface(`pcmcia_domtrans_cardmgr',`
type cardmgr_t, cardmgr_exec_t;
')
- domain_auto_trans($1,cardmgr_exec_t,cardmgr_t)
-
- allow $1 cardmgr_t:fd use;
- allow cardmgr_t $1:fd use;
- allow cardmgr_t $1:fifo_file rw_file_perms;
- allow cardmgr_t $1:process sigchld;
+ domtrans_pattern($1,cardmgr_exec_t,cardmgr_t)
')
########################################
@@ -72,12 +67,7 @@ interface(`pcmcia_domtrans_cardctl',`
type cardmgr_t, cardctl_exec_t;
')
- domain_auto_trans($1,cardctl_exec_t,cardmgr_t)
-
- allow $1 cardmgr_t:fd use;
- allow cardmgr_t $1:fd use;
- allow cardmgr_t $1:fifo_file rw_file_perms;
- allow cardmgr_t $1:process sigchld;
+ domtrans_pattern($1,cardctl_exec_t,cardmgr_t)
')
########################################
@@ -128,9 +118,7 @@ interface(`pcmcia_read_pid',`
')
files_search_pids($1)
- allow $1 cardmgr_var_run_t:dir r_dir_perms;
- allow $1 cardmgr_var_run_t:file r_file_perms;
- allow $1 cardmgr_var_run_t:lnk_file { getattr read };
+ read_files_pattern($1,cardmgr_var_run_t,cardmgr_var_run_t)
')
########################################
@@ -150,8 +138,7 @@ interface(`pcmcia_manage_pid',`
')
files_search_pids($1)
- allow $1 cardmgr_var_run_t:dir rw_dir_perms;
- allow $1 cardmgr_var_run_t:file create_file_perms;
+ manage_files_pattern($1,cardmgr_var_run_t,cardmgr_var_run_t)
')
########################################
@@ -171,6 +158,5 @@ interface(`pcmcia_manage_pid_chr_files',`
')
files_search_pids($1)
- allow $1 cardmgr_var_run_t:dir rw_dir_perms;
- allow $1 cardmgr_var_run_t:chr_file create_file_perms;
+ manage_chr_files_pattern($1,cardmgr_var_run_t,cardmgr_var_run_t)
')
diff --git a/policy/modules/system/pcmcia.te b/policy/modules/system/pcmcia.te
index 7e6f19ce..01aa6541 100644
--- a/policy/modules/system/pcmcia.te
+++ b/policy/modules/system/pcmcia.te
@@ -33,19 +33,18 @@ domain_entry_file(cardmgr_t,cardctl_exec_t)
allow cardmgr_t self:capability { dac_read_search dac_override setuid net_admin sys_admin sys_nice sys_tty_config mknod };
dontaudit cardmgr_t self:capability sys_tty_config;
allow cardmgr_t self:process signal_perms;
-allow cardmgr_t self:fifo_file rw_file_perms;
+allow cardmgr_t self:fifo_file rw_fifo_file_perms;
allow cardmgr_t self:unix_dgram_socket create_socket_perms;
allow cardmgr_t self:unix_stream_socket create_socket_perms;
-allow cardmgr_t cardmgr_lnk_t:lnk_file create_lnk_perms;
+allow cardmgr_t cardmgr_lnk_t:lnk_file manage_lnk_file_perms;
dev_filetrans(cardmgr_t,cardmgr_lnk_t,lnk_file)
# Create stab file
-allow cardmgr_t cardmgr_var_lib_t:file create_file_perms;
-allow cardmgr_t cardmgr_var_lib_t:dir rw_dir_perms;
+manage_files_pattern(cardmgr_t,cardmgr_var_lib_t,cardmgr_var_lib_t)
files_var_lib_filetrans(cardmgr_t,cardmgr_var_lib_t,file)
-allow cardmgr_t cardmgr_var_run_t:file create_file_perms;
+allow cardmgr_t cardmgr_var_run_t:file manage_file_perms;
files_pid_filetrans(cardmgr_t,cardmgr_var_run_t,file)
kernel_read_system_state(cardmgr_t)
diff --git a/policy/modules/system/raid.if b/policy/modules/system/raid.if
index 04673a84..cfe72e8e 100644
--- a/policy/modules/system/raid.if
+++ b/policy/modules/system/raid.if
@@ -16,12 +16,7 @@ interface(`raid_domtrans_mdadm',`
')
corecmd_search_sbin($1)
- domain_auto_trans($1,mdadm_exec_t,mdadm_t)
-
- allow $1 mdadm_t:fd use;
- allow mdadm_t $1:fd use;
- allow mdadm_t $1:fifo_file rw_file_perms;
- allow mdadm_t $1:process sigchld;
+ domtrans_pattern($1,mdadm_exec_t,mdadm_t)
')
########################################
@@ -50,5 +45,5 @@ interface(`raid_manage_mdadm_pid',`
# FIXME: maybe should have a type_transition. not
# clear what this is doing, from the original
# mdadm policy
- allow $1 mdadm_var_run_t:file create_file_perms;
+ allow $1 mdadm_var_run_t:file manage_file_perms;
')
diff --git a/policy/modules/system/raid.te b/policy/modules/system/raid.te
index 1ba3328a..2df5d539 100644
--- a/policy/modules/system/raid.te
+++ b/policy/modules/system/raid.te
@@ -22,10 +22,9 @@ files_pid_file(mdadm_var_run_t)
allow mdadm_t self:capability { dac_override sys_admin ipc_lock };
dontaudit mdadm_t self:capability sys_tty_config;
allow mdadm_t self:process { sigchld sigkill sigstop signull signal };
-allow mdadm_t self:fifo_file rw_file_perms;
+allow mdadm_t self:fifo_file rw_fifo_file_perms;
-allow mdadm_t mdadm_var_run_t:dir rw_dir_perms;
-allow mdadm_t mdadm_var_run_t:file create_file_perms;
+manage_files_pattern(mdadm_t,mdadm_var_run_t,mdadm_var_run_t)
files_pid_filetrans(mdadm_t,mdadm_var_run_t,file)
kernel_read_system_state(mdadm_t)
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
index b0b5b818..72725a1c 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -17,12 +17,7 @@ interface(`seutil_domtrans_checkpolicy',`
files_search_usr($1)
corecmd_search_bin($1)
- domain_auto_trans($1,checkpolicy_exec_t,checkpolicy_t)
-
- allow $1 checkpolicy_t:fd use;
- allow checkpolicy_t $1:fd use;
- allow checkpolicy_t $1:fifo_file rw_file_perms;
- allow checkpolicy_t $1:process sigchld;
+ domtrans_pattern($1,checkpolicy_exec_t,checkpolicy_t)
')
########################################
@@ -95,12 +90,7 @@ interface(`seutil_domtrans_loadpolicy',`
')
corecmd_search_sbin($1)
- domain_auto_trans($1,load_policy_exec_t,load_policy_t)
-
- allow $1 load_policy_t:fd use;
- allow load_policy_t $1:fd use;
- allow load_policy_t $1:fifo_file rw_file_perms;
- allow load_policy_t $1:process sigchld;
+ domtrans_pattern($1,load_policy_exec_t,load_policy_t)
')
########################################
@@ -171,7 +161,7 @@ interface(`seutil_read_loadpolicy',`
')
corecmd_search_sbin($1)
- allow $1 load_policy_exec_t:file r_file_perms;
+ allow $1 load_policy_exec_t:file read_file_perms;
')
#######################################
@@ -191,12 +181,7 @@ interface(`seutil_domtrans_newrole',`
files_search_usr($1)
corecmd_search_bin($1)
- domain_auto_trans($1,newrole_exec_t,newrole_t)
-
- allow $1 newrole_t:fd use;
- allow newrole_t $1:fd use;
- allow newrole_t $1:fifo_file rw_file_perms;
- allow newrole_t $1:process sigchld;
+ domtrans_pattern($1,newrole_exec_t,newrole_t)
')
########################################
@@ -323,12 +308,7 @@ interface(`seutil_domtrans_restorecon',`
')
corecmd_search_sbin($1)
- domain_auto_trans($1,restorecon_exec_t,restorecon_t)
-
- allow $1 restorecon_t:fd use;
- allow restorecon_t $1:fd use;
- allow restorecon_t $1:fifo_file rw_file_perms;
- allow restorecon_t $1:process sigchld;
+ domtrans_pattern($1,restorecon_exec_t,restorecon_t)
')
########################################
@@ -401,12 +381,7 @@ interface(`seutil_domtrans_runinit',`
files_search_usr($1)
corecmd_search_sbin($1)
- domain_auto_trans($1,run_init_exec_t,run_init_t)
-
- allow $1 run_init_t:fd use;
- allow run_init_t $1:fd use;
- allow run_init_t $1:fifo_file rw_file_perms;
- allow run_init_t $1:process sigchld;
+ domtrans_pattern($1,run_init_exec_t,run_init_t)
')
########################################
@@ -432,7 +407,6 @@ interface(`seutil_init_script_domtrans_runinit',`
init_script_file_domtrans($1,run_init_t)
- allow $1 run_init_t:fd use;
allow run_init_t $1:fd use;
allow run_init_t $1:fifo_file rw_file_perms;
allow run_init_t $1:process sigchld;
@@ -552,12 +526,7 @@ interface(`seutil_domtrans_setfiles',`
files_search_usr($1)
corecmd_search_sbin($1)
- domain_auto_trans($1,setfiles_exec_t,setfiles_t)
-
- allow $1 setfiles_t:fd use;
- allow setfiles_t $1:fd use;
- allow setfiles_t $1:fifo_file rw_file_perms;
- allow setfiles_t $1:process sigchld;
+ domtrans_pattern($1,setfiles_exec_t,setfiles_t)
')
########################################
@@ -669,9 +638,9 @@ interface(`seutil_read_config',`
')
files_search_etc($1)
- allow $1 selinux_config_t:dir r_dir_perms;
- allow $1 selinux_config_t:file r_file_perms;
- allow $1 selinux_config_t:lnk_file { getattr read };
+ allow $1 selinux_config_t:dir list_dir_perms;
+ read_files_pattern($1,selinux_config_t,selinux_config_t)
+ read_lnk_files_pattern($1,selinux_config_t,selinux_config_t)
')
########################################
@@ -692,7 +661,7 @@ interface(`seutil_rw_config',`
files_search_etc($1)
allow $1 selinux_config_t:dir list_dir_perms;
- allow $1 selinux_config_t:file rw_file_perms;
+ rw_files_pattern($1,selinux_config_t,selinux_config_t)
')
#######################################
@@ -713,9 +682,8 @@ interface(`seutil_manage_selinux_config',`
')
files_search_etc($1)
- allow $1 selinux_config_t:dir rw_dir_perms;
- allow $1 selinux_config_t:file manage_file_perms;
- allow $1 selinux_config_t:lnk_file { getattr read };
+ manage_files_pattern($1,selinux_config_t,selinux_config_t)
+ read_lnk_files_pattern($1,selinux_config_t,selinux_config_t)
')
#######################################
@@ -755,7 +723,7 @@ interface(`seutil_search_default_contexts',`
')
files_search_etc($1)
- allow $1 { selinux_config_t default_context_t }:dir search;
+ search_dirs_pattern($1,selinux_config_t,default_context_t)
')
########################################
@@ -777,7 +745,7 @@ interface(`seutil_read_default_contexts',`
files_search_etc($1)
allow $1 selinux_config_t:dir search_dir_perms;
allow $1 default_context_t:dir list_dir_perms;
- allow $1 default_context_t:file r_file_perms;
+ read_files_pattern($1,default_context_t,default_context_t)
')
########################################
@@ -797,8 +765,7 @@ interface(`seutil_manage_default_contexts',`
files_search_etc($1)
allow $1 selinux_config_t:dir search_dir_perms;
- allow $1 default_context_t:dir rw_dir_perms;
- allow $1 default_context_t:file manage_file_perms;
+ manage_files_pattern($1,default_context_t,default_context_t)
')
########################################
@@ -814,14 +781,12 @@ interface(`seutil_manage_default_contexts',`
#
interface(`seutil_read_file_contexts',`
gen_require(`
- type selinux_config_t, file_context_t;
+ type selinux_config_t, default_context_t, file_context_t;
')
files_search_etc($1)
- allow $1 selinux_config_t:dir search;
- allow $1 file_context_t:dir r_dir_perms;
- allow $1 file_context_t:file r_file_perms;
- allow $1 file_context_t:lnk_file { getattr read };
+ allow $1 { selinux_config_t default_context_t }:dir search_dir_perms;
+ read_files_pattern($1,file_context_t,file_context_t)
')
########################################
@@ -840,10 +805,8 @@ interface(`seutil_rw_file_contexts',`
')
files_search_etc($1)
- allow $1 selinux_config_t:dir search;
- allow $1 file_context_t:dir r_dir_perms;
- allow $1 file_context_t:file rw_file_perms;
- allow $1 file_context_t:lnk_file { getattr read };
+ allow $1 { selinux_config_t default_context_t }:dir search_dir_perms;
+ rw_files_pattern($1,file_context_t,file_context_t)
')
########################################
@@ -864,8 +827,7 @@ interface(`seutil_manage_file_contexts',`
files_search_etc($1)
allow $1 { selinux_config_t default_context_t }:dir search_dir_perms;
- allow $1 file_context_t:dir rw_dir_perms;
- allow $1 file_context_t:file manage_file_perms;
+ manage_files_pattern($1,file_context_t,file_context_t)
')
########################################
@@ -884,9 +846,8 @@ interface(`seutil_read_bin_policy',`
')
files_search_etc($1)
- allow $1 selinux_config_t:dir search;
- allow $1 policy_config_t:dir r_dir_perms;
- allow $1 policy_config_t:file r_file_perms;
+ allow $1 selinux_config_t:dir search_dir_perms;
+ read_files_pattern($1,policy_config_t,policy_config_t)
')
########################################
@@ -906,9 +867,9 @@ interface(`seutil_create_bin_policy',`
')
files_search_etc($1)
- allow $1 selinux_config_t:dir search;
- allow $1 policy_config_t:dir ra_dir_perms;
- allow $1 policy_config_t:file { getattr create write };
+ allow $1 selinux_config_t:dir search_dir_perms;
+ create_files_pattern($1,policy_config_t,policy_config_t)
+ write_files_pattern($1,policy_config_t,policy_config_t)
# typeattribute $1 can_write_binary_policy;
')
@@ -950,9 +911,8 @@ interface(`seutil_manage_bin_policy',`
')
files_search_etc($1)
- allow $1 selinux_config_t:dir search;
- allow $1 policy_config_t:dir rw_dir_perms;
- allow $1 policy_config_t:file create_file_perms;
+ allow $1 selinux_config_t:dir search_dir_perms;
+ manage_files_pattern($1,policy_config_t,policy_config_t)
typeattribute $1 can_write_binary_policy;
')
@@ -972,9 +932,8 @@ interface(`seutil_read_src_policy',`
')
files_search_etc($1)
- allow $1 selinux_config_t:dir search;
- allow $1 policy_src_t:dir r_dir_perms;
- allow $1 policy_src_t:file r_file_perms;
+ list_dirs_pattern($1,selinux_config_t,policy_src_t)
+ read_files_pattern($1,policy_src_t,policy_src_t)
')
########################################
@@ -995,9 +954,9 @@ interface(`seutil_manage_src_policy',`
')
files_search_etc($1)
- allow $1 selinux_config_t:dir search;
- allow $1 policy_src_t:dir create_dir_perms;
- allow $1 policy_src_t:file create_file_perms;
+ allow $1 selinux_config_t:dir search_dir_perms;
+ manage_dirs_pattern($1,policy_src_t,policy_src_t)
+ manage_files_pattern($1,policy_src_t,policy_src_t)
')
########################################
@@ -1017,12 +976,7 @@ interface(`seutil_domtrans_semanage',`
files_search_usr($1)
corecmd_search_bin($1)
- domain_auto_trans($1,semanage_exec_t,semanage_t)
-
- allow $1 semanage_t:fd use;
- allow semanage_t $1:fd use;
- allow semanage_t $1:fifo_file rw_file_perms;
- allow semanage_t $1:process sigchld;
+ domtrans_pattern($1,semanage_exec_t,semanage_t)
')
########################################
@@ -1075,11 +1029,9 @@ interface(`seutil_manage_module_store',`
')
files_search_etc($1)
- allow $1 selinux_config_t:dir rw_dir_perms;
- type_transition $1 selinux_config_t:dir semanage_store_t;
-
- allow $1 semanage_store_t:dir create_dir_perms;
- allow $1 semanage_store_t:file create_file_perms;
+ manage_dirs_pattern($1,selinux_config_t,semanage_store_t)
+ manage_files_pattern($1,semanage_store_t,semanage_store_t)
+ filetrans_pattern($1,selinux_config_t,semanage_store_t,dir)
')
#######################################
@@ -1098,8 +1050,7 @@ interface(`seutil_get_semanage_read_lock',`
')
files_search_etc($1)
- allow $1 selinux_config_t:dir search_dir_perms;
- allow $1 semanage_read_lock_t:file rw_file_perms;
+ rw_files_pattern($1,selinux_config_t,semanage_read_lock_t)
')
#######################################
@@ -1118,6 +1069,5 @@ interface(`seutil_get_semanage_trans_lock',`
')
files_search_etc($1)
- allow $1 selinux_config_t:dir search_dir_perms;
- allow $1 semanage_trans_lock_t:file rw_file_perms;
+ rw_files_pattern($1,selinux_config_t,semanage_trans_lock_t)
')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 9e946e4e..274e02bb 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -140,18 +140,15 @@ ifdef(`distro_redhat',`
allow checkpolicy_t self:capability dac_override;
# able to create and modify binary policy files
-allow checkpolicy_t policy_config_t:dir rw_dir_perms;
-allow checkpolicy_t policy_config_t:file create_file_perms;
+manage_files_pattern(checkpolicy_t,policy_config_t,policy_config_t)
# allow test policies to be created in src directories
-allow checkpolicy_t policy_src_t:dir rw_dir_perms;
-type_transition checkpolicy_t policy_src_t:file policy_config_t;
+filetrans_add_pattern(checkpolicy_t,policy_src_t,policy_config_t,file)
# only allow read of policy source files
-allow checkpolicy_t policy_src_t:dir r_dir_perms;
-allow checkpolicy_t policy_src_t:file r_file_perms;
-allow checkpolicy_t policy_src_t:lnk_file r_file_perms;
-allow checkpolicy_t selinux_config_t:dir search;
+read_files_pattern(checkpolicy_t,policy_src_t,policy_src_t)
+read_lnk_files_pattern(checkpolicy_t,policy_src_t,policy_src_t)
+allow checkpolicy_t selinux_config_t:dir search_dir_perms;
fs_getattr_xattr_fs(checkpolicy_t)
@@ -184,14 +181,10 @@ ifdef(`targeted_policy',`
allow load_policy_t self:capability dac_override;
# only allow read of policy config files
-allow load_policy_t policy_src_t:dir search;
-allow load_policy_t policy_config_t:dir r_dir_perms;
-allow load_policy_t policy_config_t:file r_file_perms;
-allow load_policy_t policy_config_t:lnk_file r_file_perms;
+read_files_pattern(load_policy_t,{ policy_src_t policy_config_t },policy_config_t)
-allow load_policy_t selinux_config_t:dir r_dir_perms;
-allow load_policy_t selinux_config_t:file r_file_perms;
-allow load_policy_t selinux_config_t:lnk_file r_file_perms;
+read_files_pattern(load_policy_t,selinux_config_t,selinux_config_t)
+read_lnk_files_pattern(load_policy_t,selinux_config_t,selinux_config_t)
domain_use_interactive_fds(load_policy_t)
@@ -242,8 +235,8 @@ allow newrole_t self:capability { fowner setuid setgid dac_override };
allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
allow newrole_t self:process setexec;
allow newrole_t self:fd use;
-allow newrole_t self:fifo_file rw_file_perms;
-allow newrole_t self:sock_file r_file_perms;
+allow newrole_t self:fifo_file rw_fifo_file_perms;
+allow newrole_t self:sock_file read_sock_file_perms;
allow newrole_t self:shm create_shm_perms;
allow newrole_t self:sem create_sem_perms;
allow newrole_t self:msgq create_msgq_perms;
@@ -252,10 +245,11 @@ allow newrole_t self:unix_dgram_socket sendto;
allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow newrole_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+read_files_pattern(newrole_t,selinux_config_t,selinux_config_t)
+read_lnk_files_pattern(newrole_t,selinux_config_t,selinux_config_t)
-allow newrole_t { selinux_config_t default_context_t }:dir r_dir_perms;
-allow newrole_t { selinux_config_t default_context_t }:file r_file_perms;
-allow newrole_t { selinux_config_t default_context_t }:lnk_file r_file_perms;
+read_files_pattern(newrole_t,default_context_t,default_context_t)
+read_lnk_files_pattern(newrole_t,default_context_t,default_context_t)
kernel_read_system_state(newrole_t)
kernel_read_kernel_sysctls(newrole_t)
@@ -339,7 +333,7 @@ optional_policy(`
allow restorecon_t self:capability { dac_override dac_read_search fowner };
dontaudit restorecon_t self:capability sys_tty_config;
-allow restorecon_t self:fifo_file rw_file_perms;
+allow restorecon_t self:fifo_file rw_fifo_file_perms;
allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir r_dir_perms;
allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms;
@@ -427,10 +421,10 @@ optional_policy(`
#
allow restorecond_t self:capability { dac_override dac_read_search fowner };
-allow restorecond_t self:fifo_file rw_file_perms;
+allow restorecond_t self:fifo_file rw_fifo_file_perms;
allow restorecond_t self:netlink_route_socket r_netlink_socket_perms;
-allow restorecond_t restorecond_var_run_t:file create_file_perms;
+allow restorecond_t restorecond_var_run_t:file manage_file_perms;
files_pid_filetrans(restorecond_t,restorecond_var_run_t, file)
kernel_use_fds(restorecond_t)
@@ -562,8 +556,8 @@ allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_r
allow semanage_t policy_config_t:file { read write };
-allow semanage_t semanage_tmp_t:dir create_dir_perms;
-allow semanage_t semanage_tmp_t:file create_file_perms;
+allow semanage_t semanage_tmp_t:dir manage_dir_perms;
+allow semanage_t semanage_tmp_t:file manage_file_perms;
files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
kernel_read_system_state(semanage_t)
diff --git a/policy/modules/system/setrans.if b/policy/modules/system/setrans.if
index 8c1c7ce0..67b99faa 100644
--- a/policy/modules/system/setrans.if
+++ b/policy/modules/system/setrans.if
@@ -16,11 +16,7 @@ interface(`setrans_translate_context',`
')
allow $1 self:unix_stream_socket create_stream_socket_perms;
-
allow $1 setrans_t:context translate;
- allow $1 setrans_t:unix_stream_socket connectto;
- allow $1 setrans_var_run_t:unix_stream_socket rw_socket_perms;
- allow $1 setrans_var_run_t:sock_file rw_file_perms;
- allow $1 setrans_var_run_t:dir search_dir_perms;
+ stream_connect_pattern($1,setrans_var_run_t,setrans_var_run_t,setrans_t)
files_list_pids($1)
')
diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
index 71c1a90a..0d6e890f 100644
--- a/policy/modules/system/setrans.te
+++ b/policy/modules/system/setrans.te
@@ -37,9 +37,8 @@ can_exec(setrans_t, setrans_exec_t)
corecmd_search_sbin(setrans_t)
# create unix domain socket in /var
-allow setrans_t setrans_var_run_t:sock_file manage_file_perms;
-allow setrans_t setrans_var_run_t:file manage_file_perms;
-allow setrans_t setrans_var_run_t:dir rw_dir_perms;
+manage_files_pattern(setrans_t,setrans_var_run_t,setrans_var_run_t)
+manage_sock_files_pattern(setrans_t,setrans_var_run_t,setrans_var_run_t)
files_pid_filetrans(setrans_t,setrans_var_run_t,file)
kernel_read_kernel_sysctls(setrans_t)
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
index c8813ebf..3a0ba460 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -16,12 +16,7 @@ interface(`sysnet_domtrans_dhcpc',`
')
corecmd_search_sbin($1)
- domain_auto_trans($1, dhcpc_exec_t, dhcpc_t)
-
- allow $1 dhcpc_t:fd use;
- allow dhcpc_t $1:fd use;
- allow dhcpc_t $1:fifo_file rw_file_perms;
- allow dhcpc_t $1:process sigchld;
+ domtrans_pattern($1, dhcpc_exec_t, dhcpc_t)
')
########################################
@@ -222,7 +217,7 @@ interface(`sysnet_read_config',`
')
files_search_etc($1)
- allow $1 net_conf_t:file r_file_perms;
+ allow $1 net_conf_t:file read_file_perms;
')
#######################################
@@ -240,7 +235,7 @@ interface(`sysnet_dontaudit_read_config',`
type net_conf_t;
')
- dontaudit $1 net_conf_t:file r_file_perms;
+ dontaudit $1 net_conf_t:file read_file_perms;
')
#######################################
@@ -277,7 +272,7 @@ interface(`sysnet_manage_config',`
type net_conf_t;
')
- allow $1 net_conf_t:file create_file_perms;
+ allow $1 net_conf_t:file manage_file_perms;
')
#######################################
@@ -333,12 +328,7 @@ interface(`sysnet_domtrans_ifconfig',`
')
corecmd_search_sbin($1)
- domain_auto_trans($1, ifconfig_exec_t, ifconfig_t)
-
- allow $1 ifconfig_t:fd use;
- allow ifconfig_t $1:fd use;
- allow ifconfig_t $1:fifo_file rw_file_perms;
- allow ifconfig_t $1:process sigchld;
+ domtrans_pattern($1, ifconfig_exec_t, ifconfig_t)
')
########################################
@@ -410,8 +400,7 @@ interface(`sysnet_read_dhcp_config',`
')
files_search_etc($1)
- allow $1 dhcp_etc_t:dir search;
- allow $1 dhcp_etc_t:file { getattr read };
+ read_files_pattern($1,dhcp_etc_t,dhcp_etc_t)
')
########################################
@@ -430,7 +419,7 @@ interface(`sysnet_search_dhcp_state',`
')
files_search_var_lib($1)
- allow $1 dhcp_state_t:dir search;
+ allow $1 dhcp_state_t:dir search_dir_perms;
')
########################################
@@ -469,8 +458,7 @@ interface(`sysnet_dhcp_state_filetrans',`
')
files_search_var_lib($1)
- allow $1 dhcp_state_t:dir rw_dir_perms;
- type_transition $1 dhcp_state_t:$3 $2;
+ filetrans_pattern($1,dhcp_state_t,$2,$3)
')
########################################
@@ -503,7 +491,7 @@ interface(`sysnet_dns_name_resolve',`
corenet_sendrecv_dns_client_packets($1)
files_search_etc($1)
- allow $1 net_conf_t:file r_file_perms;
+ allow $1 net_conf_t:file read_file_perms;
')
########################################
@@ -531,7 +519,7 @@ interface(`sysnet_use_ldap',`
corenet_sendrecv_ldap_client_packets($1)
files_search_etc($1)
- allow $1 net_conf_t:file r_file_perms;
+ allow $1 net_conf_t:file read_file_perms;
')
########################################
@@ -563,5 +551,5 @@ interface(`sysnet_use_portmap',`
corenet_sendrecv_portmap_client_packets($1)
files_search_etc($1)
- allow $1 net_conf_t:file r_file_perms;
+ allow $1 net_conf_t:file read_file_perms;
')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 5d18e40d..8161430b 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -52,39 +52,32 @@ allow dhcpc_t self:udp_socket create_socket_perms;
allow dhcpc_t self:packet_socket create_socket_perms;
allow dhcpc_t self:netlink_route_socket { create_socket_perms nlmsg_read };
-allow dhcpc_t dhcp_etc_t:dir r_dir_perms;
-allow dhcpc_t dhcp_etc_t:lnk_file r_file_perms;
-allow dhcpc_t dhcp_etc_t:file { r_file_perms execute execute_no_trans };
+allow dhcpc_t dhcp_etc_t:dir list_dir_perms;
+read_lnk_files_pattern(dhcpc_t,dhcp_etc_t,dhcp_etc_t)
+exec_files_pattern(dhcpc_t,dhcp_etc_t,dhcp_etc_t)
-allow dhcpc_t dhcp_state_t:dir rw_dir_perms;
allow dhcpc_t dhcp_state_t:file { getattr read };
-allow dhcpc_t dhcpc_state_t:dir rw_dir_perms;
-allow dhcpc_t dhcpc_state_t:file create_file_perms;
-type_transition dhcpc_t dhcp_state_t:file dhcpc_state_t;
+manage_files_pattern(dhcpc_t,dhcpc_state_t,dhcpc_state_t)
+filetrans_pattern(dhcpc_t,dhcp_state_t,dhcpc_state_t,file)
# create pid file
-allow dhcpc_t dhcpc_var_run_t:file create_file_perms;
-allow dhcpc_t dhcpc_var_run_t:dir rw_dir_perms;
+manage_files_pattern(dhcpc_t,dhcpc_var_run_t,dhcpc_var_run_t)
files_pid_filetrans(dhcpc_t,dhcpc_var_run_t,file)
# Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files
# in /etc created by dhcpcd will be labelled net_conf_t.
-allow dhcpc_t net_conf_t:file create_file_perms;
+allow dhcpc_t net_conf_t:file manage_file_perms;
files_etc_filetrans(dhcpc_t,net_conf_t,file)
# create temp files
-allow dhcpc_t dhcpc_tmp_t:dir create_dir_perms;
-allow dhcpc_t dhcpc_tmp_t:file create_file_perms;
+manage_dirs_pattern(dhcpc_t,dhcpc_tmp_t,dhcpc_tmp_t)
+manage_files_pattern(dhcpc_t,dhcpc_tmp_t,dhcpc_tmp_t)
files_tmp_filetrans(dhcpc_t, dhcpc_tmp_t, { file dir })
can_exec(dhcpc_t, dhcpc_exec_t)
# transition to ifconfig
-domain_auto_trans(dhcpc_t, ifconfig_exec_t, ifconfig_t)
-allow dhcpc_t ifconfig_t:fd use;
-allow ifconfig_t dhcpc_t:fd use;
-allow ifconfig_t dhcpc_t:fifo_file rw_file_perms;
-allow ifconfig_t dhcpc_t:process sigchld;
+domtrans_pattern(dhcpc_t, ifconfig_exec_t, ifconfig_t)
kernel_read_system_state(dhcpc_t)
kernel_read_network_state(dhcpc_t)
@@ -259,8 +252,8 @@ allow ifconfig_t self:capability { net_raw net_admin sys_tty_config };
dontaudit ifconfig_t self:capability sys_module;
allow ifconfig_t self:fd use;
-allow ifconfig_t self:fifo_file rw_file_perms;
-allow ifconfig_t self:sock_file r_file_perms;
+allow ifconfig_t self:fifo_file rw_fifo_file_perms;
+allow ifconfig_t self:sock_file read_sock_file_perms;
allow ifconfig_t self:socket create_socket_perms;
allow ifconfig_t self:unix_dgram_socket create_socket_perms;
allow ifconfig_t self:unix_stream_socket create_stream_socket_perms;
diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
index 6aa57cef..573a890f 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -15,12 +15,7 @@ interface(`udev_domtrans',`
type udev_t, udev_exec_t;
')
- domain_auto_trans($1, udev_exec_t, udev_t)
-
- allow $1 udev_t:fd use;
- allow udev_t $1:fd use;
- allow udev_t $1:fifo_file rw_file_perms;
- allow udev_t $1:process sigchld;
+ domtrans_pattern($1, udev_exec_t, udev_t)
')
########################################
@@ -38,12 +33,7 @@ interface(`udev_helper_domtrans',`
type udev_t, udev_helper_exec_t;
')
- domain_auto_trans($1, udev_helper_exec_t, udev_t)
-
- allow $1 udev_t:fd use;
- allow udev_t $1:fd use;
- allow udev_t $1:fifo_file rw_file_perms;
- allow udev_t $1:process sigchld;
+ domtrans_pattern($1, udev_helper_exec_t, udev_t)
')
########################################
@@ -62,8 +52,8 @@ interface(`udev_read_state',`
')
kernel_search_proc($1)
- allow $1 udev_t:file r_file_perms;
- allow $1 udev_t:lnk_file r_file_perms;
+ allow $1 udev_t:file read_file_perms;
+ allow $1 udev_t:lnk_file read_lnk_file_perms;
')
########################################
@@ -120,7 +110,7 @@ interface(`udev_read_db',`
')
dev_list_all_dev_nodes($1)
- allow $1 udev_tdb_t:file r_file_perms;
+ allow $1 udev_tdb_t:file read_file_perms;
')
########################################
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 87555e65..79f454e7 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -44,8 +44,8 @@ dontaudit udev_t self:capability sys_tty_config;
allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow udev_t self:process { execmem setfscreate };
allow udev_t self:fd use;
-allow udev_t self:fifo_file rw_file_perms;
-allow udev_t self:sock_file r_file_perms;
+allow udev_t self:fifo_file rw_fifo_file_perms;
+allow udev_t self:sock_file read_file_perms;
allow udev_t self:shm create_shm_perms;
allow udev_t self:sem create_sem_perms;
allow udev_t self:msgq create_msgq_perms;
@@ -59,17 +59,16 @@ allow udev_t self:rawip_socket create_socket_perms;
allow udev_t udev_exec_t:file write;
can_exec(udev_t, udev_exec_t)
-allow udev_t udev_helper_exec_t:dir r_dir_perms;
+allow udev_t udev_helper_exec_t:dir list_dir_perms;
# read udev config
-allow udev_t udev_etc_t:file r_file_perms;
+allow udev_t udev_etc_t:file read_file_perms;
# create udev database in /dev/.udevdb
-allow udev_t udev_tbl_t:file create_file_perms;
+allow udev_t udev_tbl_t:file manage_file_perms;
dev_filetrans(udev_t,udev_tbl_t,file)
-allow udev_t udev_var_run_t:file create_file_perms;
-allow udev_t udev_var_run_t:dir rw_dir_perms;
+manage_files_pattern(udev_t,udev_var_run_t,udev_var_run_t)
files_pid_filetrans(udev_t,udev_var_run_t,file)
kernel_read_system_state(udev_t)
diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
index 9f4f7ec0..2c7c721b 100644
--- a/policy/modules/system/unconfined.if
+++ b/policy/modules/system/unconfined.if
@@ -19,7 +19,7 @@ interface(`unconfined_domain_noaudit',`
# Use any Linux capability.
allow $1 self:capability *;
- allow $1 self:fifo_file create_file_perms;
+ allow $1 self:fifo_file manage_fifo_file_perms;
# Transition to myself, to make get_ordered_context_list happy.
allow $1 self:process transition;
@@ -130,12 +130,7 @@ interface(`unconfined_domtrans',`
type unconfined_t, unconfined_exec_t;
')
- domain_auto_trans($1,unconfined_exec_t,unconfined_t)
-
- allow $1 unconfined_t:fd use;
- allow unconfined_t $1:fd use;
- allow unconfined_t $1:fifo_file rw_file_perms;
- allow unconfined_t $1:process sigchld;
+ domtrans_pattern($1,unconfined_exec_t,unconfined_t)
')
########################################
@@ -184,6 +179,9 @@ interface(`unconfined_shell_domtrans',`
')
corecmd_shell_domtrans($1,unconfined_t)
+ allow unconfined_t $1:fd use;
+ allow unconfined_t $1:fifo_file rw_file_perms;
+ allow unconfined_t $1:process sigchld;
')
########################################
@@ -218,10 +216,7 @@ interface(`unconfined_domtrans_to',`
type unconfined_t;
')
- domain_auto_trans(unconfined_t,$2,$1)
- allow $1 unconfined_t:fd use;
- allow $1 unconfined_t:fifo_file rw_file_perms;
- allow $1 unconfined_t:process sigchld;
+ domtrans_pattern(unconfined_t,$2,$1)
')
########################################
@@ -311,7 +306,7 @@ interface(`unconfined_read_pipes',`
type unconfined_t;
')
- allow $1 unconfined_t:fifo_file r_file_perms;
+ allow $1 unconfined_t:fifo_file read_fifo_file_perms;
')
########################################
@@ -347,7 +342,7 @@ interface(`unconfined_rw_pipes',`
type unconfined_t;
')
- allow $1 unconfined_t:fifo_file rw_file_perms;
+ allow $1 unconfined_t:fifo_file rw_fifo_file_perms;
')
########################################
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 240ff341..0f1edf6e 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -48,7 +48,7 @@ template(`userdom_base_user_template',`
allow $1_t self:process { signal_perms getsched setsched share getpgid setpgid setcap getsession };
allow $1_t self:fd use;
- allow $1_t self:fifo_file rw_file_perms;
+ allow $1_t self:fifo_file rw_fifo_file_perms;
allow $1_t self:unix_dgram_socket { create_socket_perms sendto };
allow $1_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow $1_t self:shm create_shm_perms;
@@ -61,7 +61,7 @@ template(`userdom_base_user_template',`
allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
term_create_pty($1_t,$1_devpts_t)
- allow $1_t $1_tty_device_t:chr_file { setattr rw_file_perms };
+ allow $1_t $1_tty_device_t:chr_file { setattr rw_chr_file_perms };
kernel_read_kernel_sysctls($1_t)
kernel_dontaudit_list_unlabeled($1_t)
@@ -171,12 +171,13 @@ template(`userdom_ro_home_template',`
#
# read-only home directory
- allow $1_t $1_home_t:file { read_file_perms entrypoint };
- allow $1_t $1_home_t:lnk_file read_file_perms;
- allow $1_t $1_home_t:dir list_dir_perms;
- allow $1_t $1_home_t:sock_file read_file_perms;
- allow $1_t $1_home_t:fifo_file read_file_perms;
allow $1_t $1_home_dir_t:dir list_dir_perms;
+ allow $1_t $1_home_t:dir list_dir_perms;
+ allow $1_t $1_home_t:file entrypoint;
+ read_files_pattern($1_t,{ $1_home_t $1_home_dir_t },$1_home_t)
+ read_lnk_files_pattern($1_t,{ $1_home_t $1_home_dir_t },$1_home_t)
+ read_fifo_files_pattern($1_t,{ $1_home_t $1_home_dir_t },$1_home_t)
+ read_sock_files_pattern($1_t,{ $1_home_t $1_home_dir_t },$1_home_t)
files_list_home($1_t)
tunable_policy(`use_nfs_home_dirs',`
@@ -257,15 +258,23 @@ template(`userdom_manage_home_template',`
#
# full control of the home directory
- allow $1_t $1_home_t:file { manage_file_perms relabelfrom relabelto entrypoint };
- allow $1_t $1_home_t:lnk_file { create_lnk_perms relabelfrom relabelto };
- allow $1_t $1_home_t:dir { manage_dir_perms relabelfrom relabelto };
- allow $1_t $1_home_t:sock_file { manage_file_perms relabelfrom relabelto };
- allow $1_t $1_home_t:fifo_file { manage_file_perms relabelfrom relabelto };
- allow $1_t $1_home_dir_t:dir { manage_dir_perms relabelfrom relabelto };
- type_transition $1_t $1_home_dir_t:{ dir file lnk_file sock_file fifo_file } $1_home_t;
+ allow $1_t $1_home_t:file entrypoint;
+ manage_dirs_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t)
+ manage_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t)
+ manage_lnk_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t)
+ manage_sock_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t)
+ manage_fifo_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t)
+ relabel_dirs_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t)
+ relabel_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t)
+ relabel_lnk_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t)
+ relabel_sock_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t)
+ relabel_fifo_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t)
+ filetrans_pattern($1_t,$1_home_dir_t,$1_home_t,{ dir file lnk_file sock_file fifo_file })
files_list_home($1_t)
+ # cjp: this should probably be removed:
+ allow $1_t $1_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
+
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs($1_t)
fs_manage_nfs_files($1_t)
@@ -363,11 +372,11 @@ template(`userdom_manage_tmp_template',`
type $1_tmp_t, $1_file_type;
files_tmp_file($1_tmp_t)
- allow $1_t $1_tmp_t:dir manage_dir_perms;
- allow $1_t $1_tmp_t:file manage_file_perms;
- allow $1_t $1_tmp_t:lnk_file create_lnk_perms;
- allow $1_t $1_tmp_t:sock_file manage_file_perms;
- allow $1_t $1_tmp_t:fifo_file manage_file_perms;
+ manage_dirs_pattern($1_t,$1_tmp_t,$1_tmp_t)
+ manage_files_pattern($1_t,$1_tmp_t,$1_tmp_t)
+ manage_lnk_files_pattern($1_t,$1_tmp_t,$1_tmp_t)
+ manage_sock_files_pattern($1_t,$1_tmp_t,$1_tmp_t)
+ manage_fifo_files_pattern($1_t,$1_tmp_t,$1_tmp_t)
files_tmp_filetrans($1_t, $1_tmp_t, { dir file lnk_file sock_file fifo_file })
')
@@ -384,7 +393,7 @@ template(`userdom_manage_tmp_template',`
##
#
template(`userdom_exec_tmp_template',`
- can_exec($1_t,$1_tmp_t)
+ exec_files_pattern($1_t,$1_tmp_t,$1_tmp_t)
')
#######################################
@@ -435,11 +444,11 @@ template(`userdom_manage_tmpfs_template',`
type $1_tmpfs_t, $1_file_type;
files_tmpfs_file($1_tmpfs_t)
- allow $1_t $1_tmpfs_t:dir rw_dir_perms;
- allow $1_t $1_tmpfs_t:file manage_file_perms;
- allow $1_t $1_tmpfs_t:lnk_file create_lnk_perms;
- allow $1_t $1_tmpfs_t:sock_file manage_file_perms;
- allow $1_t $1_tmpfs_t:fifo_file manage_file_perms;
+ manage_dirs_pattern($1_t,$1_tmpfs_t,$1_tmpfs_t)
+ manage_files_pattern($1_t,$1_tmpfs_t,$1_tmpfs_t)
+ manage_lnk_files_pattern($1_t,$1_tmpfs_t,$1_tmpfs_t)
+ manage_sock_files_pattern($1_t,$1_tmpfs_t,$1_tmpfs_t)
+ manage_fifo_files_pattern($1_t,$1_tmpfs_t,$1_tmpfs_t)
fs_tmpfs_filetrans($1_t,$1_tmpfs_t, { dir file lnk_file sock_file fifo_file })
')
@@ -472,13 +481,13 @@ template(`userdom_untrusted_content_template',`
files_tmp_file($1_untrusted_content_tmp_t)
# Allow user to relabel untrusted content
- allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir { manage_dir_perms relabelto relabelfrom };
- allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file { getattr unlink relabelto relabelfrom rename };
+ allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
+ allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file { getattr unlink relabel_file_perms rename };
tunable_policy(`read_untrusted_content',`
allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir list_dir_perms;
- allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file read_file_perms;
- allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:lnk_file { getattr read };
+ read_files_pattern($1_t,{ $1_untrusted_content_t $1_untrusted_content_tmp_t },{ $1_untrusted_content_t $1_untrusted_content_tmp_t })
+ read_lnk_files_pattern($1_t,{ $1_untrusted_content_t $1_untrusted_content_tmp_t },{ $1_untrusted_content_t $1_untrusted_content_tmp_t })
',`
dontaudit $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir list_dir_perms;
dontaudit $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file read_file_perms;
@@ -952,12 +961,12 @@ template(`userdom_unpriv_user_template', `
#
# privileged home directory writers
- allow privhome $1_home_t:file manage_file_perms;
- allow privhome $1_home_t:lnk_file create_lnk_perms;
- allow privhome $1_home_t:dir manage_dir_perms;
- allow privhome $1_home_t:sock_file manage_file_perms;
- allow privhome $1_home_t:fifo_file manage_file_perms;
- type_transition privhome $1_home_dir_t:{ dir file lnk_file sock_file fifo_file } $1_home_t;
+ manage_dirs_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
+ manage_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
+ manage_lnk_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
+ manage_sock_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
+ manage_fifo_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
+ filetrans_pattern(privhome,$1_home_dir_t,$1_home_t,{ dir file lnk_file sock_file fifo_file })
corecmd_exec_all_executables($1_t)
@@ -1656,7 +1665,7 @@ template(`userdom_search_user_home_dirs',`
')
files_search_home($2)
- allow $2 $1_home_dir_t:dir { getattr search };
+ allow $2 $1_home_dir_t:dir search_dir_perms;
')
########################################
@@ -1690,7 +1699,7 @@ template(`userdom_list_user_home_dirs',`
')
files_search_home($2)
- allow $2 $1_home_dir_t:dir r_dir_perms;
+ allow $2 $1_home_dir_t:dir list_dir_perms;
')
########################################
@@ -1772,7 +1781,7 @@ template(`userdom_dontaudit_list_user_home_dirs',`
type $1_home_dir_t;
')
- dontaudit $2 $1_home_dir_t:dir r_dir_perms;
+ dontaudit $2 $1_home_dir_t:dir list_dir_perms;
')
########################################
@@ -1808,8 +1817,7 @@ template(`userdom_manage_user_home_content_dirs',`
')
files_search_home($2)
- allow $2 $1_home_dir_t:dir rw_dir_perms;
- allow $2 $1_home_t:dir manage_dir_perms;
+ manage_dirs_pattern($2,{ $1_home_dir_t $1_home_t },$1_home_t)
')
########################################
@@ -1878,9 +1886,7 @@ template(`userdom_read_user_home_content_files',`
')
files_search_home($2)
- allow $2 $1_home_dir_t:dir search_dir_perms;
- allow $2 $1_home_t:dir search_dir_perms;
- allow $2 $1_home_t:file r_file_perms;
+ read_files_pattern($2,{ $1_home_dir_t $1_home_t },$1_home_t)
')
########################################
@@ -1913,8 +1919,8 @@ template(`userdom_dontaudit_read_user_home_content_files',`
type $1_home_t;
')
- dontaudit $2 $1_home_t:dir r_dir_perms;
- dontaudit $2 $1_home_t:file r_file_perms;
+ dontaudit $2 $1_home_t:dir list_dir_perms;
+ dontaudit $2 $1_home_t:file read_file_perms;
')
########################################
@@ -1981,9 +1987,7 @@ template(`userdom_read_user_home_content_symlinks',`
')
files_search_home($2)
- allow $2 $1_home_dir_t:dir search_dir_perms;
- allow $2 $1_home_t:dir search_dir_perms;
- allow $2 $1_home_t:lnk_file r_file_perms;
+ read_lnk_files_pattern($2,{ $1_home_dir_t $1_home_t },$1_home_t)
')
########################################
@@ -2017,9 +2021,7 @@ template(`userdom_exec_user_home_content_files',`
')
files_search_home($2)
- allow $2 $1_home_dir_t:dir search_dir_perms;
- allow $2 $1_home_t:dir search_dir_perms;
- can_exec($2,$1_home_t)
+ exec_files_pattern($2,{ $1_home_dir_t $1_home_t },$1_home_t)
')
########################################
@@ -2089,8 +2091,7 @@ template(`userdom_manage_user_home_content_files',`
files_search_home($2)
allow $2 $1_home_dir_t:dir search_dir_perms;
- allow $2 $1_home_t:dir rw_dir_perms;
- allow $2 $1_home_t:file create_file_perms;
+ manage_files_pattern($2,$1_home_t,$1_home_t)
')
########################################
@@ -2162,8 +2163,7 @@ template(`userdom_manage_user_home_content_symlinks',`
files_search_home($2)
allow $2 $1_home_dir_t:dir search_dir_perms;
- allow $2 $1_home_t:dir rw_dir_perms;
- allow $2 $1_home_t:lnk_file create_lnk_perms;
+ manage_lnk_files_pattern($2,$1_home_t,$1_home_t)
')
########################################
@@ -2200,8 +2200,7 @@ template(`userdom_manage_user_home_content_pipes',`
files_search_home($2)
allow $2 $1_home_dir_t:dir search_dir_perms;
- allow $2 $1_home_t:dir rw_dir_perms;
- allow $2 $1_home_t:fifo_file create_file_perms;
+ manage_fifo_files_pattern($2,$1_home_t,$1_home_t)
')
########################################
@@ -2238,8 +2237,7 @@ template(`userdom_manage_user_home_content_sockets',`
files_search_home($2)
allow $2 $1_home_dir_t:dir search_dir_perms;
- allow $2 $1_home_t:dir rw_dir_perms;
- allow $2 $1_home_t:sock_file create_file_perms;
+ manage_sock_files_pattern($2,$1_home_t,$1_home_t)
')
########################################
@@ -2288,8 +2286,7 @@ template(`userdom_user_home_dir_filetrans',`
')
files_search_home($2)
- allow $2 $1_home_dir_t:dir rw_dir_perms;
- type_transition $2 $1_home_dir_t:$4 $3;
+ filetrans_pattern($2,$1_home_dir_t,$3,$4)
')
########################################
@@ -2333,8 +2330,7 @@ template(`userdom_user_home_dir_filetrans_user_home_content',`
')
files_search_home($2)
- allow $2 $1_home_dir_t:dir rw_dir_perms;
- type_transition $2 $1_home_dir_t:$3 $1_home_t;
+ filetrans_pattern($2,$1_home_dir_t,$1_home_t,$3)
')
########################################
@@ -2402,7 +2398,7 @@ template(`userdom_list_user_tmp',`
')
files_search_tmp($2)
- allow $2 $1_tmp_t:dir r_dir_perms;
+ allow $2 $1_tmp_t:dir list_dir_perms;
')
########################################
@@ -2437,7 +2433,7 @@ template(`userdom_dontaudit_list_user_tmp',`
type $1_tmp_t;
')
- dontaudit $2 $1_tmp_t:dir r_dir_perms;
+ dontaudit $2 $1_tmp_t:dir list_dir_perms;
')
########################################
@@ -2506,8 +2502,8 @@ template(`userdom_read_user_tmp_files',`
')
files_search_tmp($2)
- allow $2 $1_tmp_t:dir r_dir_perms;
- allow $2 $1_tmp_t:file r_file_perms;
+ allow $2 $1_tmp_t:dir list_dir_perms;
+ read_files_pattern($2,$1_tmp_t,$1_tmp_t)
')
########################################
@@ -2611,8 +2607,8 @@ template(`userdom_rw_user_tmp_files',`
')
files_search_tmp($2)
- allow $2 $1_tmp_t:dir r_dir_perms;
- allow $2 $1_tmp_t:file rw_file_perms;
+ allow $2 $1_tmp_t:dir list_dir_perms;
+ rw_files_pattern($2,$1_tmp_t,$1_tmp_t)
')
########################################
@@ -2683,8 +2679,8 @@ template(`userdom_read_user_tmp_symlinks',`
')
files_search_tmp($2)
- allow $2 $1_tmp_t:dir r_dir_perms;
- allow $2 $1_tmp_t:lnk_file r_file_perms;
+ allow $2 $1_tmp_t:dir list_dir_perms;
+ read_lnk_files_pattern($2,$1_tmp_t,$1_tmp_t)
')
########################################
@@ -2720,7 +2716,7 @@ template(`userdom_manage_user_tmp_dirs',`
')
files_search_tmp($2)
- allow $2 $1_tmp_t:dir manage_dir_perms;
+ manage_dirs_pattern($2,$1_tmp_t,$1_tmp_t)
')
########################################
@@ -2756,8 +2752,7 @@ template(`userdom_manage_user_tmp_files',`
')
files_search_tmp($2)
- allow $2 $1_tmp_t:dir rw_dir_perms;
- allow $2 $1_tmp_t:file create_file_perms;
+ manage_files_pattern($2,$1_tmp_t,$1_tmp_t)
')
########################################
@@ -2793,8 +2788,7 @@ template(`userdom_manage_user_tmp_symlinks',`
')
files_search_tmp($2)
- allow $2 $1_tmp_t:dir rw_dir_perms;
- allow $2 $1_tmp_t:lnk_file create_lnk_perms;
+ manage_lnk_files_pattern($2,$1_tmp_t,$1_tmp_t)
')
########################################
@@ -2830,8 +2824,7 @@ template(`userdom_manage_user_tmp_pipes',`
')
files_search_tmp($2)
- allow $2 $1_tmp_t:dir rw_dir_perms;
- allow $2 $1_tmp_t:fifo_file create_file_perms;
+ manage_fifo_files_pattern($2,$1_tmp_t,$1_tmp_t)
')
########################################
@@ -2867,8 +2860,7 @@ template(`userdom_manage_user_tmp_sockets',`
')
files_search_tmp($2)
- allow $2 $1_tmp_t:dir rw_dir_perms;
- allow $2 $1_tmp_t:sock_file create_file_perms;
+ manage_sock_files_pattern($2,$1_tmp_t,$1_tmp_t)
')
########################################
@@ -2916,8 +2908,7 @@ template(`userdom_user_tmp_filetrans',`
type $1_tmp_t;
')
- allow $2 $1_tmp_t:dir rw_dir_perms;
- type_transition $2 $1_tmp_t:$4 $3;
+ filetrans_pattern($2,$1_tmp_t,$3,$4)
files_search_tmp($2)
')
@@ -2996,8 +2987,8 @@ template(`userdom_rw_user_tmpfs_files',`
fs_search_tmpfs($2)
allow $2 $1_tmpfs_t:dir list_dir_perms;
- allow $2 $1_tmpfs_t:file rw_file_perms;
- allow $2 $1_tmpfs_t:lnk_file { getattr read };
+ rw_files_pattern($2,$1_tmpfs_t,$1_tmpfs_t)
+ read_lnk_files_pattern($2,$1_tmpfs_t,$1_tmpfs_t)
')
########################################
@@ -3030,7 +3021,7 @@ template(`userdom_list_user_untrusted_content',`
type $1_untrusted_content_t;
')
- allow $2 $1_untrusted_content_t:dir r_dir_perms;
+ allow $2 $1_untrusted_content_t:dir list_dir_perms;
')
########################################
@@ -3065,7 +3056,7 @@ template(`userdom_dontaudit_list_user_untrusted_content',`
type $1_untrusted_content_t;
')
- dontaudit $2 $1_untrusted_content_t:dir r_dir_perms;
+ dontaudit $2 $1_untrusted_content_t:dir list_dir_perms;
')
########################################
@@ -3098,8 +3089,8 @@ template(`userdom_read_user_untrusted_content_files',`
type $1_untrusted_content_t;
')
- allow $2 $1_untrusted_content_t:dir r_dir_perms;
- allow $2 $1_untrusted_content_t:file r_file_perms;
+ allow $2 $1_untrusted_content_t:dir list_dir_perms;
+ read_files_pattern($2,$1_untrusted_content_t,$1_untrusted_content_t)
')
########################################
@@ -3132,8 +3123,7 @@ template(`userdom_manage_user_untrusted_content_files',`
type $1_untrusted_content_t;
')
- allow $2 $1_tmp_t:dir rw_dir_perms;
- allow $2 $1_untrusted_content_tmp_t:file manage_file_perms;
+ manage_files_pattern($2,$1_untrusted_content_t,$1_untrusted_content_t)
')
########################################
@@ -3168,7 +3158,7 @@ template(`userdom_dontaudit_read_user_untrusted_content_files',`
type $1_untrusted_content_t;
')
- dontaudit $2 $1_untrusted_content_t:file r_file_perms;
+ dontaudit $2 $1_untrusted_content_t:file read_file_perms;
')
########################################
@@ -3201,8 +3191,8 @@ template(`userdom_read_user_untrusted_content_symlinks',`
type $1_untrusted_content_t;
')
- allow $2 $1_untrusted_content_t:dir r_dir_perms;
- allow $2 $1_untrusted_content_t:lnk_file r_file_perms;
+ allow $2 $1_untrusted_content_t:dir list_dir_perms;
+ read_lnk_files_pattern($2,$1_untrusted_content_t,$1_untrusted_content_t)
')
########################################
@@ -3235,7 +3225,7 @@ template(`userdom_list_user_tmp_untrusted_content',`
type $1_untrusted_content_tmp_t;
')
- allow $2 $1_untrusted_content_tmp_t:dir r_dir_perms;
+ allow $2 $1_untrusted_content_tmp_t:dir list_dir_perms;
')
########################################
@@ -3270,7 +3260,7 @@ template(`userdom_dontaudit_list_user_tmp_untrusted_content',`
type $1_untrusted_content_tmp_t;
')
- dontaudit $2 $1_untrusted_content_tmp_t:dir r_dir_perms;
+ dontaudit $2 $1_untrusted_content_tmp_t:dir list_dir_perms;
')
########################################
@@ -3303,8 +3293,8 @@ template(`userdom_read_user_tmp_untrusted_content_files',`
type $1_untrusted_content_tmp_t;
')
- allow $2 $1_untrusted_content_tmp_t:dir r_dir_perms;
- allow $2 $1_untrusted_content_tmp_t:file r_file_perms;
+ allow $2 $1_untrusted_content_tmp_t:dir list_dir_perms;
+ read_files_pattern($2,$1_untrusted_content_tmp_t,$1_untrusted_content_tmp_t)
')
########################################
@@ -3372,8 +3362,8 @@ template(`userdom_read_user_tmp_untrusted_content_symlinks',`
type $1_untrusted_content_tmp_t;
')
- allow $2 $1_untrusted_content_tmp_t:dir r_dir_perms;
- allow $2 $1_untrusted_content_tmp_t:lnk_file r_file_perms;
+ allow $2 $1_untrusted_content_tmp_t:dir list_dir_perms;
+ read_lnk_files_pattern($2,$1_untrusted_content_tmp_t,$1_untrusted_content_tmp_t)
')
########################################
@@ -3391,8 +3381,9 @@ interface(`userdom_read_all_untrusted_content',`
attribute untrusted_content_type;
')
- allow $1 untrusted_content_type:dir r_dir_perms;
- allow $1 untrusted_content_type:{ file lnk_file } r_file_perms;
+ allow $1 untrusted_content_type:dir list_dir_perms;
+ read_files_pattern($1,untrusted_content_type,untrusted_content_type)
+ read_lnk_files_pattern($1,untrusted_content_type,untrusted_content_type)
')
########################################
@@ -3410,8 +3401,9 @@ interface(`userdom_read_all_tmp_untrusted_content',`
attribute untrusted_content_tmp_type;
')
- allow $1 untrusted_content_tmp_type:dir r_dir_perms;
- allow $1 untrusted_content_tmp_type:{ file lnk_file } r_file_perms;
+ allow $1 untrusted_content_tmp_type:dir list_dir_perms;
+ read_files_pattern($1,untrusted_content_tmp_type,untrusted_content_tmp_type)
+ read_lnk_files_pattern($1,untrusted_content_tmp_type,untrusted_content_tmp_type)
')
########################################
@@ -3582,7 +3574,6 @@ interface(`userdom_spec_domtrans_all_users',`
')
corecmd_shell_spec_domtrans($1,userdomain)
- allow $1 userdomain:fd use;
allow userdomain $1:fd use;
allow userdomain $1:fifo_file rw_file_perms;
allow userdomain $1:process sigchld;
@@ -3606,7 +3597,6 @@ interface(`userdom_xsession_spec_domtrans_all_users',`
')
xserver_xsession_spec_domtrans($1,userdomain)
- allow $1 userdomain:fd use;
allow userdomain $1:fd use;
allow userdomain $1:fifo_file rw_file_perms;
allow userdomain $1:process sigchld;
@@ -3630,7 +3620,6 @@ interface(`userdom_spec_domtrans_unpriv_users',`
')
corecmd_shell_spec_domtrans($1,unpriv_userdomain)
- allow $1 unpriv_userdomain:fd use;
allow unpriv_userdomain $1:fd use;
allow unpriv_userdomain $1:fifo_file rw_file_perms;
allow unpriv_userdomain $1:process sigchld;
@@ -3654,7 +3643,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
')
xserver_xsession_spec_domtrans($1,unpriv_userdomain)
- allow $1 unpriv_userdomain:fd use;
allow unpriv_userdomain $1:fd use;
allow unpriv_userdomain $1:fifo_file rw_file_perms;
allow unpriv_userdomain $1:process sigchld;
@@ -3715,8 +3703,6 @@ interface(`userdom_bin_spec_domtrans_unpriv_users',`
')
corecmd_bin_spec_domtrans($1,unpriv_userdomain)
-
- allow $1 unpriv_userdomain:fd use;
allow unpriv_userdomain $1:fd use;
allow unpriv_userdomain $1:fifo_file rw_file_perms;
allow unpriv_userdomain $1:process sigchld;
@@ -3740,8 +3726,6 @@ interface(`userdom_sbin_spec_domtrans_unpriv_users',`
')
corecmd_sbin_spec_domtrans($1,unpriv_userdomain)
-
- allow $1 unpriv_userdomain:fd use;
allow unpriv_userdomain $1:fd use;
allow unpriv_userdomain $1:fifo_file rw_file_perms;
allow unpriv_userdomain $1:process sigchld;
@@ -3765,8 +3749,6 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
')
domain_entry_file_spec_domtrans($1,unpriv_userdomain)
-
- allow $1 unpriv_userdomain:fd use;
allow unpriv_userdomain $1:fd use;
allow unpriv_userdomain $1:fifo_file rw_file_perms;
allow unpriv_userdomain $1:process sigchld;
@@ -3792,8 +3774,6 @@ interface(`userdom_shell_domtrans_sysadm',`
')
corecmd_shell_domtrans($1,sysadm_t)
-
- allow $1 sysadm_t:fd use;
allow sysadm_t $1:fd use;
allow sysadm_t $1:fifo_file rw_file_perms;
allow sysadm_t $1:process sigchld;
@@ -3816,8 +3796,6 @@ interface(`userdom_bin_spec_domtrans_sysadm',`
')
corecmd_bin_spec_domtrans($1,sysadm_t)
-
- allow $1 sysadm_t:fd use;
allow sysadm_t $1:fd use;
allow sysadm_t $1:fifo_file rw_file_perms;
allow sysadm_t $1:process sigchld;
@@ -3839,8 +3817,6 @@ interface(`userdom_sbin_spec_domtrans_sysadm',`
')
corecmd_sbin_spec_domtrans($1,sysadm_t)
-
- allow $1 sysadm_t:fd use;
allow sysadm_t $1:fd use;
allow sysadm_t $1:fifo_file rw_file_perms;
allow sysadm_t $1:process sigchld;
@@ -3864,8 +3840,6 @@ interface(`userdom_entry_spec_domtrans_sysadm',`
')
domain_entry_file_spec_domtrans($1,sysadm_t)
-
- allow $1 sysadm_t:fd use;
allow sysadm_t $1:fd use;
allow sysadm_t $1:fifo_file rw_file_perms;
allow sysadm_t $1:process sigchld;
@@ -3900,8 +3874,6 @@ interface(`userdom_sysadm_bin_spec_domtrans_to',`
')
corecmd_bin_spec_domtrans(sysadm_t,$1)
-
- allow sysadm_t $1:fd use;
allow $1 sysadm_t:fd use;
allow $1 sysadm_t:fifo_file rw_file_perms;
allow $1 sysadm_t:process sigchld;
@@ -3936,8 +3908,6 @@ interface(`userdom_sysadm_sbin_spec_domtrans_to',`
')
corecmd_sbin_spec_domtrans(sysadm_t, $1)
-
- allow sysadm_t $1:fd use;
allow $1 sysadm_t:fd use;
allow $1 sysadm_t:fifo_file rw_file_perms;
allow $1 sysadm_t:process sigchld;
@@ -3973,8 +3943,6 @@ interface(`userdom_sysadm_entry_spec_domtrans_to',`
')
domain_entry_file_spec_domtrans(sysadm_t, $1)
-
- allow sysadm_t $1:fd use;
allow $1 sysadm_t:fd use;
allow $1 sysadm_t:fifo_file rw_file_perms;
allow $1 sysadm_t:process sigchld;
@@ -4100,8 +4068,9 @@ interface(`userdom_read_staff_home_content_files',`
')
files_search_home($1)
- allow $1 { staff_home_dir_t staff_home_t }:dir r_dir_perms;
- allow $1 staff_home_t:{ file lnk_file } r_file_perms;
+ allow $1 { staff_home_dir_t staff_home_t }:dir list_dir_perms;
+ read_files_pattern($1,{ staff_home_dir_t staff_home_t },staff_home_t)
+ read_lnk_files_pattern($1,{ staff_home_dir_t staff_home_t },staff_home_t)
')
########################################
@@ -4319,7 +4288,7 @@ interface(`userdom_rw_sysadm_pipes',`
type sysadm_t;
')
- allow $1 sysadm_t:fifo_file rw_file_perms;
+ allow $1 sysadm_t:fifo_file rw_fifo_file_perms;
')
')
@@ -4510,8 +4479,7 @@ interface(`userdom_sysadm_home_dir_filetrans',`
type sysadm_home_dir_t;
')
- allow $1 sysadm_home_dir_t:dir rw_dir_perms;
- type_transition $1 sysadm_home_dir_t:$3 $2;
+ filetrans_pattern($1,sysadm_home_dir_t,$2,$3)
')
########################################
@@ -4549,8 +4517,9 @@ interface(`userdom_read_sysadm_home_content_files',`
')
files_search_home($1)
- allow $1 { sysadm_home_dir_t sysadm_home_t }:dir r_dir_perms;
- allow $1 sysadm_home_t:{ file lnk_file } r_file_perms;
+ allow $1 { sysadm_home_dir_t sysadm_home_t }:dir list_dir_perms;
+ read_files_pattern($1,{ sysadm_home_dir_t sysadm_home_t },sysadm_home_t)
+ read_lnk_files_pattern($1,{ sysadm_home_dir_t sysadm_home_t },sysadm_home_t)
',`
userdom_read_generic_user_home_content_files($1)
')
@@ -4574,7 +4543,8 @@ interface(`userdom_read_sysadm_tmp_files',`
files_search_tmp($1)
allow $1 sysadm_tmp_t:dir list_dir_perms;
- allow $1 sysadm_tmp_t:{ file lnk_file } r_file_perms;
+ read_files_pattern($1,sysadm_tmp_t,sysadm_tmp_t)
+ read_lnk_files_pattern($1,sysadm_tmp_t,sysadm_tmp_t)
',`
files_read_generic_tmp_files($1)
')
@@ -4671,8 +4641,8 @@ interface(`userdom_read_all_users_home_content_files',`
')
files_list_home($1)
- allow $1 home_type:dir r_dir_perms;
- allow $1 home_type:file r_file_perms;
+ allow $1 home_type:dir list_dir_perms;
+ read_files_pattern($1,home_type,home_type)
')
########################################
@@ -4692,7 +4662,7 @@ interface(`userdom_manage_all_users_home_content_dirs',`
')
files_list_home($1)
- allow $1 home_type:dir create_dir_perms;
+ allow $1 home_type:dir manage_dir_perms;
')
########################################
@@ -4712,8 +4682,7 @@ interface(`userdom_manage_all_users_home_content_files',`
')
files_list_home($1)
- allow $1 home_type:dir rw_dir_perms;
- allow $1 home_type:file create_file_perms;
+ manage_files_pattern($1,home_type,home_type)
')
########################################
@@ -4733,8 +4702,7 @@ interface(`userdom_manage_all_users_home_content_symlinks',`
')
files_list_home($1)
- allow $1 home_type:dir rw_dir_perms;
- allow $1 home_type:lnk_file create_lnk_perms;
+ manage_lnk_files_pattern($1,home_type,home_type)
')
########################################
@@ -4881,8 +4849,7 @@ interface(`userdom_generic_user_home_dir_filetrans_generic_user_home_content',`
')
files_search_home($1)
- allow $1 user_home_dir_t:dir rw_dir_perms;
- type_transition $1 user_home_dir_t:$2 user_home_t;
+ filetrans_pattern($1,user_home_dir_t,user_home_t,$2)
')
########################################
@@ -4941,8 +4908,7 @@ interface(`userdom_manage_generic_user_home_content_dirs',`
')
files_search_home($1)
- allow $1 user_home_dir_t:dir search_dir_perms;
- allow $1 user_home_t:dir create_dir_perms;
+ manage_dirs_pattern($1,{ user_home_dir_t user_home_t },user_home_t)
')
########################################
@@ -4980,9 +4946,8 @@ interface(`userdom_read_generic_user_home_content_files',`
')
files_search_home($1)
- allow $1 user_home_dir_t:dir search_dir_perms;
- allow $1 user_home_t:dir r_dir_perms;
- allow $1 user_home_t:file r_file_perms;
+ allow $1 user_home_t:dir list_dir_perms;
+ read_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t)
')
########################################
@@ -5022,9 +4987,7 @@ interface(`userdom_manage_generic_user_home_content_files',`
')
files_search_home($1)
- allow $1 user_home_dir_t:dir search_dir_perms;
- allow $1 user_home_t:dir rw_dir_perms;
- allow $1 user_home_t:file manage_file_perms;
+ manage_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t)
')
########################################
@@ -5063,9 +5026,7 @@ interface(`userdom_manage_generic_user_home_content_symlinks',`
')
files_search_home($1)
- allow $1 user_home_dir_t:dir search_dir_perms;
- allow $1 user_home_t:dir rw_dir_perms;
- allow $1 user_home_t:lnk_file create_lnk_perms;
+ manage_lnk_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t)
')
########################################
@@ -5085,9 +5046,7 @@ interface(`userdom_manage_generic_user_home_content_pipes',`
')
files_search_home($1)
- allow $1 user_home_dir_t:dir search_dir_perms;
- allow $1 user_home_t:dir rw_dir_perms;
- allow $1 user_home_t:fifo_file create_file_perms;
+ manage_fifo_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t)
')
########################################
@@ -5107,9 +5066,7 @@ interface(`userdom_manage_generic_user_home_content_sockets',`
')
files_search_home($1)
- allow $1 user_home_dir_t:dir search_dir_perms;
- allow $1 user_home_t:dir rw_dir_perms;
- allow $1 user_home_t:sock_file create_file_perms;
+ manage_sock_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t)
')
########################################
@@ -5148,10 +5105,9 @@ interface(`userdom_read_unpriv_users_home_content_files',`
')
files_search_home($1)
- allow $1 user_home_dir_type:dir search_dir_perms;
- allow $1 user_home_type:dir r_dir_perms;
- allow $1 user_home_type:lnk_file { getattr read };
- allow $1 user_home_type:file r_file_perms;
+ allow $1 user_home_type:dir list_dir_perms;
+ read_files_pattern($1,{ user_home_dir_type user_home_type },user_home_type)
+ read_lnk_files_pattern($1,{ user_home_dir_type user_home_type },user_home_type)
')
########################################
@@ -5171,8 +5127,7 @@ interface(`userdom_manage_unpriv_users_home_content_dirs',`
')
files_search_home($1)
- allow $1 user_home_dir_type:dir search_dir_perms;
- allow $1 user_home_type:dir manage_dir_perms;
+ manage_dirs_pattern($1,{ user_home_dir_type user_home_type },user_home_type)
')
########################################
@@ -5192,9 +5147,7 @@ interface(`userdom_manage_unpriv_users_home_content_files',`
')
files_search_home($1)
- allow $1 user_home_dir_type:dir search_dir_perms;
- allow $1 user_home_type:dir rw_dir_perms;
- allow $1 user_home_type:file manage_file_perms;
+ manage_files_pattern($1,{ user_home_dir_type user_home_type },user_home_type)
')
########################################
@@ -5400,7 +5353,7 @@ interface(`userdom_use_unpriv_users_ttys',`
attribute user_ttynode;
')
- allow $1 user_ttynode:chr_file rw_file_perms;
+ allow $1 user_ttynode:chr_file rw_term_perms;
')
')
@@ -5442,8 +5395,7 @@ interface(`userdom_read_all_users_state',`
attribute userdomain;
')
- allow $1 userdomain:dir search_dir_perms;
- allow $1 userdomain:file r_file_perms;
+ read_files_pattern($1,userdomain,userdomain)
kernel_search_proc($1)
')
@@ -5594,6 +5546,6 @@ interface(`userdom_unconfined',`
type user_home_dir_t;
')
- allow $1 user_home_dir_t:dir create_dir_perms;
+ allow $1 user_home_dir_t:dir manage_dir_perms;
files_home_filetrans($1,user_home_dir_t,dir)
')
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 0b6b6533..4f77a779 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -102,7 +102,7 @@ ifdef(`strict_policy',`
allow sysadm_t userdomain:fd use;
# Add/remove user home directories
- allow sysadm_t user_home_dir_t:dir create_dir_perms;
+ allow sysadm_t user_home_dir_t:dir manage_dir_perms;
files_home_filetrans(sysadm_t,user_home_dir_t,dir)
corecmd_exec_shell(sysadm_t)
@@ -485,13 +485,12 @@ ifdef(`targeted_policy',`
allow system_r sysadm_r;
allow system_r sysadm_r;
- allow privhome user_home_t:dir manage_dir_perms;
- allow privhome user_home_t:file create_file_perms;
- allow privhome user_home_t:lnk_file create_lnk_perms;
- allow privhome user_home_t:fifo_file create_file_perms;
- allow privhome user_home_t:sock_file create_file_perms;
- allow privhome user_home_dir_t:dir rw_dir_perms;
- type_transition privhome user_home_dir_t:{ dir file lnk_file fifo_file sock_file } user_home_t;
+ manage_dirs_pattern(privhome,{ user_home_dir_t user_home_t },user_home_t)
+ manage_files_pattern(privhome,{ user_home_dir_t user_home_t },user_home_t)
+ manage_lnk_files_pattern(privhome,{ user_home_dir_t user_home_t },user_home_t)
+ manage_sock_files_pattern(privhome,{ user_home_dir_t user_home_t },user_home_t)
+ manage_fifo_files_pattern(privhome,{ user_home_dir_t user_home_t },user_home_t)
+ filetrans_pattern(privhome,user_home_dir_t,user_home_t,{ dir file lnk_file sock_file fifo_file })
files_search_home(privhome)
ifdef(`enable_mls',`
diff --git a/policy/modules/system/xen.if b/policy/modules/system/xen.if
index fbc62fa0..7ef96e52 100644
--- a/policy/modules/system/xen.if
+++ b/policy/modules/system/xen.if
@@ -15,12 +15,7 @@ interface(`xen_domtrans',`
type xend_t, xend_exec_t;
')
- domain_auto_trans($1,xend_exec_t,xend_t)
-
- allow $1 xend_t:fd use;
- allow xend_t $1:fd use;
- allow xend_t $1:fifo_file rw_file_perms;
- allow xend_t $1:process sigchld;
+ domtrans_pattern($1,xend_exec_t,xend_t)
')
########################################
@@ -117,9 +112,7 @@ interface(`xen_stream_connect_xenstore',`
')
files_search_pids($1)
- allow $1 xenstored_var_run_t:dir search;
- allow $1 xenstored_var_run_t:sock_file { getattr write };
- allow $1 xenstored_t:unix_stream_socket connectto;
+ stream_connect_pattern($1,xenstored_var_run_t,xenstored_var_run_t,xenstored_t)
')
########################################
@@ -138,9 +131,7 @@ interface(`xen_stream_connect',`
')
files_search_pids($1)
- allow $1 xend_var_run_t:dir search;
- allow $1 xend_var_run_t:sock_file { getattr write };
- allow $1 xend_t:unix_stream_socket connectto;
+ stream_connect_pattern($1,xend_var_run_t,xend_var_run_t,xend_t)
')
########################################
@@ -158,8 +149,5 @@ interface(`xen_domtrans_xm',`
type xm_t, xm_exec_t;
')
- domain_auto_trans($1,xm_exec_t,xm_t)
- allow xm_t $1:fd use;
- allow xm_t $1:fifo_file rw_file_perms;
- allow xm_t $1:process sigchld;
+ domtrans_pattern($1,xm_exec_t,xm_t)
')
diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te
index 7d7f4bf4..92946406 100644
--- a/policy/modules/system/xen.te
+++ b/policy/modules/system/xen.te
@@ -20,7 +20,6 @@ dev_node(xen_image_t)
type xenctl_t;
files_type(xenctl_t)
-
type xend_t;
type xend_exec_t;
domain_type(xend_t)
@@ -79,37 +78,38 @@ dontaudit xend_t self:capability { sys_ptrace };
allow xend_t self:process { signal sigkill };
dontaudit xend_t self:process ptrace;
# internal communication is often done using fifo and unix sockets.
-allow xend_t self:fifo_file rw_file_perms;
+allow xend_t self:fifo_file rw_fifo_file_perms;
allow xend_t self:unix_stream_socket create_stream_socket_perms;
allow xend_t self:unix_dgram_socket create_socket_perms;
allow xend_t self:netlink_route_socket r_netlink_socket_perms;
allow xend_t self:tcp_socket create_stream_socket_perms;
allow xend_t self:packet_socket create_socket_perms;
-allow xend_t xen_image_t:dir manage_dir_perms;
-allow xend_t xen_image_t:file manage_file_perms;
-allow xend_t xen_image_t:blk_file rw_file_perms;
+allow xend_t xen_image_t:dir list_dir_perms;
+manage_dirs_pattern(xend_t,xen_image_t,xen_image_t)
+manage_files_pattern(xend_t,xen_image_t,xen_image_t)
+rw_blk_files_pattern(xend_t,xen_image_t,xen_image_t)
-allow xend_t xenctl_t:fifo_file create_file_perms;
+allow xend_t xenctl_t:fifo_file manage_file_perms;
dev_filetrans(xend_t, xenctl_t, fifo_file)
# pid file
-allow xend_t xend_var_run_t:file manage_file_perms;
-allow xend_t xend_var_run_t:sock_file manage_file_perms;
-allow xend_t xend_var_run_t:dir { setattr rw_dir_perms };
+allow xend_t xend_var_run_t:dir setattr;
+manage_files_pattern(xend_t,xend_var_run_t,xend_var_run_t)
+manage_sock_files_pattern(xend_t,xend_var_run_t,xend_var_run_t)
files_pid_filetrans(xend_t,xend_var_run_t, { file sock_file })
# log files
-allow xend_t xend_var_log_t:file create_file_perms;
-allow xend_t xend_var_log_t:sock_file create_file_perms;
-allow xend_t xend_var_log_t:dir { rw_dir_perms setattr };
+allow xend_t xend_var_log_t:dir setattr;
+manage_files_pattern(xend_t,xend_var_log_t,xend_var_log_t)
+manage_sock_files_pattern(xend_t,xend_var_log_t,xend_var_log_t)
logging_log_filetrans(xend_t,xend_var_log_t,{ sock_file file dir })
# var/lib files for xend
-allow xend_t xend_var_lib_t:file create_file_perms;
-allow xend_t xend_var_lib_t:sock_file create_file_perms;
-allow xend_t xend_var_lib_t:fifo_file create_file_perms;
-allow xend_t xend_var_lib_t:dir create_dir_perms;
+manage_dirs_pattern(xend_t,xend_var_lib_t,xend_var_lib_t)
+manage_files_pattern(xend_t,xend_var_lib_t,xend_var_lib_t)
+manage_sock_files_pattern(xend_t,xend_var_lib_t,xend_var_lib_t)
+manage_fifo_files_pattern(xend_t,xend_var_lib_t,xend_var_lib_t)
files_var_lib_filetrans(xend_t,xend_var_lib_t,{ file dir })
# transition to store
@@ -226,9 +226,8 @@ allow xenconsoled_t self:fifo_file { read write };
allow xenconsoled_t xen_devpts_t:chr_file rw_term_perms;
# pid file
-allow xenconsoled_t xenconsoled_var_run_t:file manage_file_perms;
-allow xenconsoled_t xenconsoled_var_run_t:sock_file manage_file_perms;
-allow xenconsoled_t xenconsoled_var_run_t:dir rw_dir_perms;
+manage_files_pattern(xenconsoled_t,xenconsoled_var_run_t,xenconsoled_var_run_t)
+manage_sock_files_pattern(xenconsoled_t,xenconsoled_var_run_t,xenconsoled_var_run_t)
files_pid_filetrans(xenconsoled_t,xenconsoled_var_run_t, { file sock_file })
kernel_read_kernel_sysctls(xenconsoled_t)
@@ -268,15 +267,14 @@ allow xenstored_t self:unix_stream_socket create_stream_socket_perms;
allow xenstored_t self:unix_dgram_socket create_socket_perms;
# pid file
-allow xenstored_t xenstored_var_run_t:file manage_file_perms;
-allow xenstored_t xenstored_var_run_t:sock_file manage_file_perms;
-allow xenstored_t xenstored_var_run_t:dir rw_dir_perms;
+manage_files_pattern(xenstored_t,xenstored_var_run_t,xenstored_var_run_t)
+manage_sock_files_pattern(xenstored_t,xenstored_var_run_t,xenstored_var_run_t)
files_pid_filetrans(xenstored_t,xenstored_var_run_t, { file sock_file })
# var/lib files for xenstored
-allow xenstored_t xenstored_var_lib_t:file create_file_perms;
-allow xenstored_t xenstored_var_lib_t:sock_file create_file_perms;
-allow xenstored_t xenstored_var_lib_t:dir create_dir_perms;
+manage_dirs_pattern(xenstored_t,xenstored_var_lib_t,xenstored_var_lib_t)
+manage_files_pattern(xenstored_t,xenstored_var_lib_t,xenstored_var_lib_t)
+manage_sock_files_pattern(xenstored_t,xenstored_var_lib_t,xenstored_var_lib_t)
files_var_lib_filetrans(xenstored_t,xenstored_var_lib_t,{ file dir sock_file })
kernel_write_xen_state(xenstored_t)
@@ -317,13 +315,12 @@ allow xm_t self:fifo_file { read write };
allow xm_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xm_t self:tcp_socket create_stream_socket_perms;
-allow xm_t xend_var_lib_t:dir rw_dir_perms;
-allow xm_t xend_var_lib_t:fifo_file create_file_perms;
-allow xm_t xend_var_lib_t:file create_file_perms;
+manage_files_pattern(xm_t,xend_var_lib_t,xend_var_lib_t)
+manage_fifo_files_pattern(xm_t,xend_var_lib_t,xend_var_lib_t)
files_search_var_lib(xm_t)
allow xm_t xen_image_t:dir rw_dir_perms;
-allow xm_t xen_image_t:file r_file_perms;
+allow xm_t xen_image_t:file read_file_perms;
kernel_read_system_state(xm_t)
kernel_read_kernel_sysctls(xm_t)
diff --git a/policy/support/file_patterns.spt b/policy/support/file_patterns.spt
new file mode 100644
index 00000000..77eefa8f
--- /dev/null
+++ b/policy/support/file_patterns.spt
@@ -0,0 +1,534 @@
+#
+# Directory patterns (dir)
+#
+# Parameters:
+# 1. domain type
+# 2. container (directory) type
+# 3. directory type
+#
+define(`getattr_dirs_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:dir getattr_dir_perms;
+')
+
+define(`setattr_dirs_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:dir setattr_dir_perms;
+')
+
+define(`search_dirs_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:dir search_dir_perms;
+')
+
+define(`list_dirs_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:dir list_dir_perms;
+')
+
+define(`add_entry_dirs_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:dir add_entry_dir_perms;
+')
+
+define(`del_entry_dirs_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:dir del_entry_dir_perms;
+')
+
+define(`create_dirs_pattern',`
+ allow $1 $2:dir add_entry_dir_perms;
+ allow $1 $3:dir create_dir_perms;
+')
+
+define(`delete_dirs_pattern',`
+ allow $1 $2:dir del_entry_dir_perms;
+ allow $1 $3:dir delete_dir_perms;
+')
+
+define(`rename_dirs_pattern',`
+ allow $1 $2:dir rw_dir_perms;
+ allow $1 $3:dir rename_dir_perms;
+')
+
+define(`manage_dirs_pattern',`
+ allow $1 $2:dir rw_dir_perms;
+ allow $1 $3:dir manage_dir_perms;
+')
+
+define(`relabelfrom_dirs_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:dir relabelfrom_dir_perms;
+')
+
+define(`relabelto_dirs_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:dir relabelto_dir_perms;
+')
+
+define(`relabel_dirs_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:dir relabel_dir_perms;
+')
+
+#
+# Regular file patterns (file)
+#
+# Parameters:
+# 1. domain type
+# 2. container (directory) type
+# 3. file type
+#
+define(`getattr_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:file getattr_file_perms;
+')
+
+define(`setattr_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:file setattr_file_perms;
+')
+
+define(`read_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:file read_file_perms;
+')
+
+define(`mmap_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:file mmap_file_perms;
+')
+
+define(`exec_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:file exec_file_perms;
+')
+
+define(`append_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:file append_file_perms;
+')
+
+define(`write_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:file write_file_perms;
+')
+
+define(`rw_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:file rw_file_perms;
+')
+
+define(`create_files_pattern',`
+ allow $1 $2:dir add_entry_dir_perms;
+ allow $1 $3:file create_file_perms;
+')
+
+define(`delete_files_pattern',`
+ allow $1 $2:dir del_entry_dir_perms;
+ allow $1 $3:file delete_file_perms;
+')
+
+define(`rename_files_pattern',`
+ allow $1 $2:dir rw_dir_perms;
+ allow $1 $3:file rename_file_perms;
+')
+
+define(`manage_files_pattern',`
+ allow $1 $2:dir rw_dir_perms;
+ allow $1 $3:file manage_file_perms;
+')
+
+define(`relabelfrom_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:file relabelfrom_file_perms;
+')
+
+define(`relabelto_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:file relabelto_file_perms;
+')
+
+define(`relabel_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:file relabel_file_perms;
+')
+
+#
+# Symbolic link patterns (lnk_file)
+#
+# Parameters:
+# 1. domain type
+# 2. container (directory) type
+# 3. file type
+#
+define(`getattr_lnk_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:lnk_file getattr_lnk_file_perms;
+')
+
+define(`setattr_lnk_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:lnk_file setattr_lnk_file_perms;
+')
+
+define(`read_lnk_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:lnk_file read_lnk_file_perms;
+')
+
+define(`append_lnk_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:lnk_file append_lnk_file_perms;
+')
+
+define(`write_lnk_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:lnk_file write_lnk_file_perms;
+')
+
+define(`rw_lnk_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:lnk_file rw_lnk_file_perms;
+')
+
+define(`create_lnk_files_pattern',`
+ allow $1 $2:dir add_entry_dir_perms;
+ allow $1 $3:lnk_file create_lnk_file_perms;
+')
+
+define(`delete_lnk_files_pattern',`
+ allow $1 $2:dir del_entry_dir_perms;
+ allow $1 $3:lnk_file delete_lnk_file_perms;
+')
+
+define(`rename_lnk_files_pattern',`
+ allow $1 $2:dir rw_dir_perms;
+ allow $1 $3:lnk_file rename_lnk_file_perms;
+')
+
+define(`manage_lnk_files_pattern',`
+ allow $1 $2:dir rw_dir_perms;
+ allow $1 $3:lnk_file manage_lnk_file_perms;
+')
+
+define(`relabelfrom_lnk_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:lnk_file relabelfrom_lnk_file_perms;
+')
+
+define(`relabelto_lnk_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:lnk_file relabelto_lnk_file_perms;
+')
+
+define(`relabel_lnk_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:lnk_file relabel_lnk_file_perms;
+')
+
+#
+# (Un)named Pipes/FIFO patterns (fifo_file)
+#
+# Parameters:
+# 1. domain type
+# 2. container (directory) type
+# 3. file type
+#
+define(`getattr_fifo_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:fifo_file getattr_fifo_file_perms;
+')
+
+define(`setattr_fifo_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:fifo_file setattr_fifo_file_perms;
+')
+
+define(`read_fifo_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:fifo_file read_fifo_file_perms;
+')
+
+define(`append_fifo_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:fifo_file append_fifo_file_perms;
+')
+
+define(`write_fifo_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:fifo_file write_fifo_file_perms;
+')
+
+define(`rw_fifo_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:fifo_file rw_fifo_file_perms;
+')
+
+define(`create_fifo_files_pattern',`
+ allow $1 $2:dir add_entry_dir_perms;
+ allow $1 $3:fifo_file create_fifo_file_perms;
+')
+
+define(`delete_fifo_files_pattern',`
+ allow $1 $2:dir del_entry_dir_perms;
+ allow $1 $3:fifo_file delete_fifo_file_perms;
+')
+
+define(`rename_fifo_files_pattern',`
+ allow $1 $2:dir rw_dir_perms;
+ allow $1 $3:fifo_file rename_fifo_file_perms;
+')
+
+define(`manage_fifo_files_pattern',`
+ allow $1 $2:dir rw_dir_perms;
+ allow $1 $3:fifo_file manage_fifo_file_perms;
+')
+
+define(`relabelfrom_fifo_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:fifo_file relabelfrom_fifo_file_perms;
+')
+
+define(`relabelto_fifo_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:fifo_file relabelto_fifo_file_perms;
+')
+
+define(`relabel_fifo_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:fifo_file relabel_fifo_file_perms;
+')
+
+#
+# (Un)named sockets patterns (sock_file)
+#
+# Parameters:
+# 1. domain type
+# 2. container (directory) type
+# 3. file type
+#
+define(`getattr_sock_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:sock_file getattr_fifo_file_perms;
+')
+
+define(`setattr_sock_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:sock_file setattr_fifo_file_perms;
+')
+
+define(`read_sock_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:sock_file read_fifo_file_perms;
+')
+
+define(`write_sock_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:sock_file write_fifo_file_perms;
+')
+
+define(`rw_sock_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:sock_file rw_fifo_file_perms;
+')
+
+define(`create_sock_files_pattern',`
+ allow $1 $2:dir add_entry_dir_perms;
+ allow $1 $3:sock_file create_fifo_file_perms;
+')
+
+define(`delete_sock_files_pattern',`
+ allow $1 $2:dir del_entry_dir_perms;
+ allow $1 $3:sock_file delete_fifo_file_perms;
+')
+
+define(`rename_sock_files_pattern',`
+ allow $1 $2:dir rw_dir_perms;
+ allow $1 $3:sock_file rename_fifo_file_perms;
+')
+
+define(`manage_sock_files_pattern',`
+ allow $1 $2:dir rw_dir_perms;
+ allow $1 $3:sock_file manage_fifo_file_perms;
+')
+
+define(`relabelfrom_sock_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:sock_file relabelfrom_sock_file_perms;
+')
+
+define(`relabelto_sock_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:sock_file relabelto_sock_file_perms;
+')
+
+define(`relabel_sock_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:sock_file relabel_sock_file_perms;
+')
+
+#
+# Block device node patterns (blk_file)
+#
+# Parameters:
+# 1. domain type
+# 2. container (directory) type
+# 3. file type
+#
+define(`getattr_blk_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:blk_file getattr_blk_file_perms;
+')
+
+define(`setattr_blk_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:blk_file setattr_blk_file_perms;
+')
+
+define(`read_blk_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:blk_file read_blk_file_perms;
+')
+
+define(`append_blk_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:blk_file append_blk_file_perms;
+')
+
+define(`write_blk_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:blk_file write_blk_file_perms;
+')
+
+define(`rw_blk_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:blk_file rw_blk_file_perms;
+')
+
+define(`create_blk_files_pattern',`
+ allow $1 self:capability mknod;
+ allow $1 $2:dir add_entry_dir_perms;
+ allow $1 $3:blk_file create_blk_file_perms;
+')
+
+define(`delete_blk_files_pattern',`
+ allow $1 $2:dir del_entry_dir_perms;
+ allow $1 $3:blk_file delete_blk_file_perms;
+')
+
+define(`rename_blk_files_pattern',`
+ allow $1 $2:dir rw_dir_perms;
+ allow $1 $3:blk_file rename_blk_file_perms;
+')
+
+define(`manage_blk_files_pattern',`
+ allow $1 self:capability mknod;
+ allow $1 $2:dir rw_dir_perms;
+ allow $1 $3:blk_file manage_blk_file_perms;
+')
+
+define(`relabelfrom_blk_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:blk_file relabelfrom_blk_file_perms;
+')
+
+define(`relabelto_blk_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:blk_file relabelto_blk_file_perms;
+')
+
+define(`relabel_blk_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:blk_file relabel_blk_file_perms;
+')
+
+#
+# Character device node patterns (chr_file)
+#
+# Parameters:
+# 1. domain type
+# 2. container (directory) type
+# 3. file type
+#
+define(`getattr_chr_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:chr_file getattr_chr_file_perms;
+')
+
+define(`setattr_chr_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:chr_file setattr_chr_file_perms;
+')
+
+define(`read_chr_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:chr_file read_chr_file_perms;
+')
+
+define(`append_chr_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:chr_file append_chr_file_perms;
+')
+
+define(`write_chr_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:chr_file write_chr_file_perms;
+')
+
+define(`rw_chr_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:chr_file rw_chr_file_perms;
+')
+
+define(`create_chr_files_pattern',`
+ allow $1 self:capability mknod;
+ allow $1 $2:dir add_entry_dir_perms;
+ allow $1 $3:chr_file create_chr_file_perms;
+')
+
+define(`delete_chr_files_pattern',`
+ allow $1 $2:dir del_entry_dir_perms;
+ allow $1 $3:chr_file delete_chr_file_perms;
+')
+
+define(`rename_chr_files_pattern',`
+ allow $1 $2:dir rw_dir_perms;
+ allow $1 $3:chr_file rename_chr_file_perms;
+')
+
+define(`manage_chr_files_pattern',`
+ allow $1 self:capability mknod;
+ allow $1 $2:dir rw_dir_perms;
+ allow $1 $3:chr_file manage_chr_file_perms;
+')
+
+define(`relabelfrom_chr_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:chr_file relabelfrom_chr_file_perms;
+')
+
+define(`relabelto_chr_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:chr_file relabelto_chr_file_perms;
+')
+
+define(`relabel_chr_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:chr_file relabel_chr_file_perms;
+')
+
+#
+# File type_transition patterns
+#
+# pattern(domain,dirtype,newtype,class(es))
+#
+define(`filetrans_add_pattern',`
+ allow $1 $2:dir ra_dir_perms;
+ type_transition $1 $2:$4 $3;
+')
+
+define(`filetrans_pattern',`
+ allow $1 $2:dir rw_dir_perms;
+ type_transition $1 $2:$4 $3;
+')
diff --git a/policy/support/ipc_patterns.spt b/policy/support/ipc_patterns.spt
new file mode 100644
index 00000000..641f6e2b
--- /dev/null
+++ b/policy/support/ipc_patterns.spt
@@ -0,0 +1,14 @@
+#
+# unix domain socket patterns
+#
+define(`stream_connect_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:sock_file { getattr write };
+ allow $1 $4:unix_stream_socket connectto;
+')
+
+define(`dgram_send_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:sock_file { getattr write };
+ allow $1 $4:unix_dgram_socket sendto;
+')
diff --git a/policy/support/misc_patterns.spt b/policy/support/misc_patterns.spt
new file mode 100644
index 00000000..7efe2867
--- /dev/null
+++ b/policy/support/misc_patterns.spt
@@ -0,0 +1,53 @@
+#
+# Specified domain transition patterns
+#
+define(`domain_transition_pattern',`
+ allow $1 $2:file { getattr read execute };
+ allow $1 $3:process transition;
+ dontaudit $1 $3:process { noatsecure siginh rlimitinh };
+')
+
+# compatibility:
+define(`domain_trans',`domain_transition_pattern($*)')
+
+define(`spec_domtrans_pattern',`
+ allow $1 self:process setexec;
+ domain_transition_pattern($1,$2,$3)
+
+ allow $3 $1:fd use;
+ allow $3 $1:fifo_file rw_file_perms;
+ allow $3 $1:process sigchld;
+')
+
+#
+# Automatic domain transition patterns
+#
+define(`domain_auto_transition_pattern',`
+ domain_transition_pattern($1,$2,$3)
+ type_transition $1 $2:process $3;
+')
+
+# compatibility:
+define(`domain_auto_trans',`domain_auto_transition_pattern($*)')
+
+define(`domtrans_pattern',`
+ domain_auto_transition_pattern($1,$2,$3)
+
+ allow $3 $1:fd use;
+ allow $3 $1:fifo_file rw_file_perms;
+ allow $3 $1:process sigchld;
+')
+
+#
+# Other process permissions
+#
+define(`send_audit_msgs_pattern',`
+ allow $1 self:capability audit_write;
+ allow $1 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+')
+
+define(`ps_process_pattern',`
+ allow $1 $2:dir { search getattr read };
+ allow $1 $2:{ file lnk_file } { read getattr };
+ allow $1 $2:process getattr;
+')
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
index eea15980..734c63d5 100644
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@@ -88,8 +88,9 @@ define(`create_lnk_perms', `{ create read getattr setattr link unlink rename }')
#
# Permissions for creating and using files.
-#
-define(`create_file_perms', `{ create ioctl read getattr lock write setattr append link unlink rename }')
+#
+# deprecated by new perm set below
+#define(`create_file_perms', `{ create ioctl read getattr lock write setattr append link unlink rename }')
#
# Permissions for reading directories and their attributes.
@@ -109,8 +110,9 @@ define(`ra_dir_perms', `{ read getattr lock search ioctl add_name write }')
#
# Permissions for creating and using directories.
-#
-define(`create_dir_perms', `{ create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }')
+#
+# deprecated by new perm set below
+#define(`create_dir_perms', `{ create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }')
#
# Permissions to mount and unmount file systems.
@@ -192,27 +194,125 @@ define(`create_shm_perms', `{ associate getattr setattr create destroy read writ
#
#
-# Directory
+# Directory (dir)
#
-define(`search_dir_perms',`{ getattr search }')
define(`getattr_dir_perms',`{ getattr }')
define(`setattr_dir_perms',`{ setattr }')
+define(`search_dir_perms',`{ getattr search }')
define(`list_dir_perms',`{ getattr search read lock ioctl }')
define(`add_entry_dir_perms',`{ getattr search lock ioctl write add_name }')
define(`del_entry_dir_perms',`{ getattr search lock ioctl write remove_name }')
+define(`create_dir_perms',`{ getattr create }')
+define(`delete_dir_perms',`{ getattr rmdir }')
define(`manage_dir_perms',`{ create getattr setattr read write link unlink rename search add_name remove_name reparent rmdir lock ioctl }')
+define(`relabelfrom_dir_perms',`{ getattr relabelfrom }')
+define(`relabelto_dir_perms',`{ getattr relabelto }')
+define(`relabel_dir_perms',`{ getattr relabelfrom relabelto }')
#
-# File
+# Regular file (file)
#
define(`getattr_file_perms',`{ getattr }')
define(`setattr_file_perms',`{ setattr }')
define(`read_file_perms',`{ getattr read lock ioctl }')
+define(`mmap_file_perms',`{ getattr read execute }')
+define(`exec_file_perms',`{ getattr read execute execute_no_trans }')
define(`append_file_perms',`{ getattr append lock ioctl }')
define(`write_file_perms',`{ getattr write append lock ioctl }')
define(`rw_file_perms',`{ getattr read write append ioctl lock }')
+define(`create_file_perms',`{ getattr create }')
+define(`rename_file_perms',`{ getattr rename }')
define(`delete_file_perms',`{ getattr unlink }')
define(`manage_file_perms',`{ create getattr setattr read write append rename link unlink ioctl lock }')
+define(`relabelfrom_file_perms',`{ getattr relabelfrom }')
+define(`relabelto_file_perms',`{ getattr relabelto }')
+define(`relabel_file_perms',`{ getattr relabelfrom relabelto }')
+
+#
+# Symbolic link (lnk_file)
+#
+define(`getattr_lnk_file_perms',`{ getattr }')
+define(`setattr_lnk_file_perms',`{ setattr }')
+define(`read_lnk_file_perms',`{ getattr read }')
+define(`write_lnk_file_perms',`{ getattr write lock ioctl }')
+define(`rw_lnk_file_perms',`{ getattr read write lock ioctl }')
+define(`create_lnk_file_perms',`{ create getattr }')
+define(`rename_lnk_file_perms',`{ getattr rename }')
+define(`delete_lnk_file_perms',`{ getattr unlink }')
+define(`manage_lnk_file_perms',`{ create read getattr setattr unlink rename }')
+define(`relabelfrom_lnk_file_perms',`{ getattr relabelfrom }')
+define(`relabelto_lnk_file_perms',`{ getattr relabelto }')
+define(`relabel_lnk_file_perms',`{ getattr relabelfrom relabelto }')
+
+#
+# (Un)named Pipes/FIFOs (fifo_file)
+#
+define(`getattr_fifo_file_perms',`{ getattr }')
+define(`setattr_fifo_file_perms',`{ setattr }')
+define(`read_fifo_file_perms',`{ getattr read lock ioctl }')
+define(`append_fifo_file_perms',`{ getattr append lock ioctl }')
+define(`write_fifo_file_perms',`{ getattr write append lock ioctl }')
+define(`rw_fifo_file_perms',`{ getattr read write append ioctl lock }')
+define(`create_fifo_file_perms',`{ getattr create }')
+define(`delete_fifo_file_perms',`{ getattr unlink }')
+define(`manage_fifo_file_perms',`{ create getattr setattr read write append rename link unlink ioctl lock }')
+define(`relabelfrom_fifo_file_perms',`{ getattr relabelfrom }')
+define(`relabelto_fifo_file_perms',`{ getattr relabelto }')
+define(`relabel_fifo_file_perms',`{ getattr relabelfrom relabelto }')
+
+#
+# (Un)named Sockets (sock_file)
+#
+define(`getattr_sock_file_perms',`{ getattr }')
+define(`setattr_sock_file_perms',`{ setattr }')
+define(`read_sock_file_perms',`{ getattr read }')
+define(`write_sock_file_perms',`{ getattr write append }')
+define(`rw_sock_file_perms',`{ getattr read write append }')
+define(`create_sock_file_perms',`{ getattr create }')
+define(`delete_sock_file_perms',`{ getattr unlink }')
+define(`manage_sock_file_perms',`{ create getattr setattr read write rename link unlink ioctl lock }')
+define(`relabelfrom_sock_file_perms',`{ getattr relabelfrom }')
+define(`relabelto_sock_file_perms',`{ getattr relabelto }')
+define(`relabel_sock_file_perms',`{ getattr relabelfrom relabelto }')
+
+#
+# Block device nodes (blk_file)
+#
+define(`getattr_blk_file_perms',`{ getattr }')
+define(`setattr_blk_file_perms',`{ setattr }')
+define(`read_blk_file_perms',`{ getattr read lock ioctl }')
+define(`append_blk_file_perms',`{ getattr append lock ioctl }')
+define(`write_blk_file_perms',`{ getattr write append lock ioctl }')
+define(`rw_blk_file_perms',`{ getattr read write append ioctl lock }')
+define(`create_blk_file_perms',`{ getattr create }')
+define(`rename_blk_file_perms',`{ getattr rename }')
+define(`delete_blk_file_perms',`{ getattr unlink }')
+define(`manage_blk_file_perms',`{ create getattr setattr read write append rename link unlink ioctl lock }')
+define(`relabelfrom_blk_file_perms',`{ getattr relabelfrom }')
+define(`relabelto_blk_file_perms',`{ getattr relabelto }')
+define(`relabel_blk_file_perms',`{ getattr relabelfrom relabelto }')
+
+#
+# Character device nodes (chr_file)
+#
+define(`getattr_chr_file_perms',`{ getattr }')
+define(`setattr_chr_file_perms',`{ setattr }')
+define(`read_chr_file_perms',`{ getattr read lock ioctl }')
+define(`append_chr_file_perms',`{ getattr append lock ioctl }')
+define(`write_chr_file_perms',`{ getattr write append lock ioctl }')
+define(`rw_chr_file_perms',`{ getattr read write append ioctl lock }')
+define(`create_chr_file_perms',`{ getattr create }')
+define(`rename_chr_file_perms',`{ getattr rename }')
+define(`delete_chr_file_perms',`{ getattr unlink }')
+define(`manage_chr_file_perms',`{ create getattr setattr read write append rename link unlink ioctl lock }')
+define(`relabelfrom_chr_file_perms',`{ getattr relabelfrom }')
+define(`relabelto_chr_file_perms',`{ getattr relabelto }')
+define(`relabel_chr_file_perms',`{ getattr relabelfrom relabelto }')
+
+########################################
+#
+# Special permission sets
+#
#
# Use (read and write) terminals