merge policy patterns to trunk

2006-12-12 20:08:08 +00:00 · 2006-12-12 20:08:08 +00:00 · c0868a7a3b
parent d6d16b9796
commit c0868a7a3b
356 changed files with 4378 additions and 5585 deletions
--- a/2
+++ b/2
@ -1,3 +1,5 @@
 - Add policy patterns support macros.  This changes the behavior of
  the create_dir_perms and create_file_perms permission sets.
 - Association polmatch MLS constraint making unlabeled_t an exception
  is no longer needed, patch from Venkat Yekkirala.
 - Context contains checking for PAM and cron from James Antill.
--- a/policy/modules/admin/acct.if
+++ b/policy/modules/admin/acct.if
@ -16,12 +16,7 @@ interface(`acct_domtrans',`
 	')
 	corecmd_search_sbin($1)
-	domain_auto_trans($1,acct_exec_t,acct_t)
+	domtrans_pattern($1,acct_exec_t,acct_t)
 	allow $1 acct_t:fd use;
 	allow acct_t $1:fd use;
 	allow acct_t $1:fifo_file rw_file_perms;
 	allow acct_t $1:process sigchld;
 ')
 ########################################
@ -80,7 +75,6 @@ interface(`acct_manage_data',`
 	')
 	files_search_var($1)
-	allow $1 acct_data_t:dir rw_dir_perms;
+	manage_files_pattern($1,acct_data_t,acct_data_t)
-	allow $1 acct_data_t:file create_file_perms;
+	manage_lnk_files_pattern($1,acct_data_t,acct_data_t)
 	allow $1 acct_data_t:lnk_file create_lnk_perms;
 ')
--- a/policy/modules/admin/acct.te
+++ b/policy/modules/admin/acct.te
@ -26,9 +26,8 @@ dontaudit acct_t self:capability { kill sys_tty_config };
 allow acct_t self:fifo_file { read write getattr };
 allow acct_t self:process signal_perms;
-allow acct_t acct_data_t:dir rw_dir_perms;
+manage_files_pattern(acct_t,acct_data_t,acct_data_t)
-allow acct_t acct_data_t:file create_file_perms;
+manage_lnk_files_pattern(acct_t,acct_data_t,acct_data_t)
 allow acct_t acct_data_t:lnk_file create_lnk_perms;
 can_exec(acct_t,acct_exec_t)
@ -98,4 +97,3 @@ optional_policy(`
 optional_policy(`
 	udev_read_db(acct_t)
 ')
--- a/policy/modules/admin/alsa.if
+++ b/policy/modules/admin/alsa.if
@ -16,12 +16,7 @@ interface(`alsa_domtrans',`
 		type alsa_exec_t;
 	')
-	domain_auto_trans($1, alsa_exec_t, alsa_t)
+	domtrans_pattern($1, alsa_exec_t, alsa_t)
 	allow $1 alsa_t:fd use;
 	allow alsa_t $1:fd use;
 	allow alsa_t $1:fifo_file rw_file_perms;
 	allow alsa_t $1:process sigchld;
 ')
 ########################################
@ -75,7 +70,7 @@ interface(`alsa_read_rw_config',`
 		type alsa_etc_rw_t;
 	')
-	allow $1 alsa_etc_rw_t:dir r_dir_perms;
+	allow $1 alsa_etc_rw_t:dir list_dir_perms;
-	allow $1 alsa_etc_rw_t:file r_file_perms;
+	read_files_pattern($1,alsa_etc_rw_t,alsa_etc_rw_t)
-	allow $1 alsa_etc_rw_t:lnk_file { getattr read };
+	read_lnk_files_pattern($1,alsa_etc_rw_t,alsa_etc_rw_t)
 ')
--- a/policy/modules/admin/alsa.te
+++ b/policy/modules/admin/alsa.te
@ -27,9 +27,8 @@ allow alsa_t self:shm create_shm_perms;
 allow alsa_t self:unix_stream_socket create_stream_socket_perms;
 allow alsa_t self:unix_dgram_socket create_socket_perms;
-allow alsa_t alsa_etc_rw_t:dir rw_dir_perms;
+manage_files_pattern(alsa_t,alsa_etc_rw_t,alsa_etc_rw_t)
-allow alsa_t alsa_etc_rw_t:file create_file_perms;
+manage_lnk_files_pattern(alsa_t,alsa_etc_rw_t,alsa_etc_rw_t)
 allow alsa_t alsa_etc_rw_t:lnk_file create_lnk_perms;
 files_read_etc_files(alsa_t)
--- a/policy/modules/admin/amanda.if
+++ b/policy/modules/admin/amanda.if
@ -15,12 +15,7 @@ interface(`amanda_domtrans_recover',`
 		type amanda_recover_t, amanda_recover_exec_t;
 	')
-	domain_auto_trans($1,amanda_recover_exec_t,amanda_recover_t)
+	domtrans_pattern($1,amanda_recover_exec_t,amanda_recover_t)
 	allow $1 amanda_recover_t:fd use;
 	allow amanda_recover_t $1:fd use;
 	allow amanda_recover_t $1:fifo_file rw_file_perms;
 	allow amanda_recover_t $1:process sigchld;
 ')
 ########################################
@ -70,7 +65,7 @@ interface(`amanda_search_lib',`
 		type amanda_usr_lib_t;
 	')
-	allow $1 amanda_usr_lib_t:dir search;
+	allow $1 amanda_usr_lib_t:dir search_dir_perms;
 	files_search_usr($1)
 ')
@ -144,7 +139,5 @@ interface(`amanda_append_log_files',`
 		type amanda_log_t;
 	')
-	allow $1 amanda_log_t:file ra_file_perms;
+	allow $1 amanda_log_t:file { read_file_perms append_file_perms };
 ')
--- a/policy/modules/admin/amanda.te
+++ b/policy/modules/admin/amanda.te
@ -97,12 +97,12 @@ allow amanda_t amanda_gnutarlists_t:dir rw_dir_perms;
 allow amanda_t amanda_gnutarlists_t:file manage_file_perms;
 allow amanda_t amanda_gnutarlists_t:lnk_file manage_file_perms;
-allow amanda_t amanda_log_t:file create_file_perms;
+manage_files_pattern(amanda_t,amanda_log_t,amanda_log_t)
-allow amanda_t amanda_log_t:dir manage_dir_perms;
+manage_dirs_pattern(amanda_t,amanda_log_t,amanda_log_t)
 logging_log_filetrans(amanda_t,amanda_log_t,{ file dir })
-allow amanda_t amanda_tmp_t:dir create_dir_perms;
+manage_files_pattern(amanda_t,amanda_tmp_t,amanda_tmp_t)
-allow amanda_t amanda_tmp_t:file create_file_perms;
+manage_dirs_pattern(amanda_t,amanda_tmp_t,amanda_tmp_t)
 files_tmp_filetrans(amanda_t, amanda_tmp_t, { file dir })
 kernel_read_system_state(amanda_t)
@ -180,23 +180,22 @@ allow amanda_recover_t self:unix_stream_socket { connect create read write };
 allow amanda_recover_t self:tcp_socket create_stream_socket_perms;
 allow amanda_recover_t self:udp_socket create_socket_perms;
-allow amanda_recover_t amanda_log_t:dir rw_dir_perms;
+manage_files_pattern(amanda_recover_t,amanda_log_t,amanda_log_t)
-allow amanda_recover_t amanda_log_t:file manage_file_perms;
+manage_lnk_files_pattern(amanda_recover_t,amanda_log_t,amanda_log_t)
 allow amanda_recover_t amanda_log_t:lnk_file create_lnk_perms;
 # access to amanda_recover_dir_t
-allow amanda_recover_t amanda_recover_dir_t:dir create_dir_perms;
+manage_dirs_pattern(amanda_recover_t,amanda_recover_dir_t,amanda_recover_dir_t)
-allow amanda_recover_t amanda_recover_dir_t:file create_file_perms;
+manage_files_pattern(amanda_recover_t,amanda_recover_dir_t,amanda_recover_dir_t)
-allow amanda_recover_t amanda_recover_dir_t:lnk_file create_lnk_perms;
+manage_lnk_files_pattern(amanda_recover_t,amanda_recover_dir_t,amanda_recover_dir_t)
-allow amanda_recover_t amanda_recover_dir_t:sock_file create_file_perms;
+manage_fifo_files_pattern(amanda_recover_t,amanda_recover_dir_t,amanda_recover_dir_t)
-allow amanda_recover_t amanda_recover_dir_t:fifo_file create_file_perms;
+manage_sock_files_pattern(amanda_recover_t,amanda_recover_dir_t,amanda_recover_dir_t)
 userdom_sysadm_home_dir_filetrans(amanda_recover_t,amanda_recover_dir_t,{ dir file lnk_file sock_file fifo_file })
-allow amanda_recover_t amanda_tmp_t:dir create_dir_perms;
+manage_dirs_pattern(amanda_recover_t,amanda_tmp_t,amanda_tmp_t)
-allow amanda_recover_t amanda_tmp_t:file create_file_perms;
+manage_files_pattern(amanda_recover_t,amanda_tmp_t,amanda_tmp_t)
-allow amanda_recover_t amanda_tmp_t:lnk_file create_lnk_perms;
+manage_lnk_files_pattern(amanda_recover_t,amanda_tmp_t,amanda_tmp_t)
-allow amanda_recover_t amanda_tmp_t:sock_file create_file_perms;
+manage_fifo_files_pattern(amanda_recover_t,amanda_tmp_t,amanda_tmp_t)
-allow amanda_recover_t amanda_tmp_t:fifo_file create_file_perms;
+manage_sock_files_pattern(amanda_recover_t,amanda_tmp_t,amanda_tmp_t)
 files_tmp_filetrans(amanda_recover_t,amanda_tmp_t,{ dir file lnk_file sock_file fifo_file })
 kernel_read_system_state(amanda_recover_t)
--- a/policy/modules/admin/apt.if
+++ b/policy/modules/admin/apt.if
@ -17,13 +17,7 @@ interface(`apt_domtrans',`
 	files_search_usr($1)
 	corecmd_search_bin($1)
-	domain_auto_trans($1,apt_exec_t,apt_t)
+	domtrans_pattern($1,apt_exec_t,apt_t)
 	# allow basic communication
 	allow $1 apt_t:fd use;
 	allow apt_t $1:fd use;
 	allow apt_t $1:fifo_file rw_file_perms;
 	allow apt_t $1:process sigchld;
 ')
 ########################################
@ -92,7 +86,7 @@ interface(`apt_read_pipes',`
 		type apt_t;
 	')
-	allow $1 apt_t:fifo_file r_file_perms;
+	allow $1 apt_t:fifo_file read_fifo_file_perms;
 	# TODO: enforce dpkg_read_pipes?
 ')
@ -131,9 +125,9 @@ interface(`apt_read_db',`
 	')
 	files_search_var_lib($1)
-	allow $1 apt_var_lib_t:dir r_dir_perms;
+	allow $1 apt_var_lib_t:dir list_dir_perms;
-	allow $1 apt_var_lib_t:file { getattr read };
+	read_files_pattern($1,apt_var_lib_t,apt_var_lib_t)
-	allow $1 apt_var_lib_t:lnk_file r_file_perms;
+	read_lnk_files_pattern($1,apt_var_lib_t,apt_var_lib_t)
 ')
 ########################################
@ -152,9 +146,10 @@ interface(`apt_manage_db',`
 	')
 	files_search_var_lib($1)
-	allow $1 apt_var_lib_t:dir rw_dir_perms;
+	manage_files_pattern($1,apt_var_lib_t,apt_var_lib_t)
-	allow $1 apt_var_lib_t:file { getattr create read write append unlink };
+	# cjp: shouldnt this be manage_lnk_files?
-	allow $1 apt_var_lib_t:lnk_file { getattr read write unlink };
+	rw_lnk_files_pattern($1,apt_var_lib_t,apt_var_lib_t)
 	delete_lnk_files_pattern($1,apt_var_lib_t,apt_var_lib_t)
 ')
 ########################################
@ -174,6 +169,6 @@ interface(`apt_dontaudit_manage_db',`
 	')
 	dontaudit $1 apt_var_lib_t:dir rw_dir_perms;
-	dontaudit $1 apt_var_lib_t:file create_file_perms;
+	dontaudit $1 apt_var_lib_t:file manage_file_perms;
-	dontaudit $1 apt_var_lib_t:lnk_file create_lnk_perms;
+	dontaudit $1 apt_var_lib_t:lnk_file manage_lnk_perms;
 ')
--- a/policy/modules/admin/apt.te
+++ b/policy/modules/admin/apt.te
@ -34,7 +34,7 @@ files_type(apt_var_cache_t)
 allow apt_t self:capability { chown dac_override fowner fsetid };
 allow apt_t self:process { signal setpgid fork };
 allow apt_t self:fd use;
-allow apt_t self:fifo_file rw_file_perms;
+allow apt_t self:fifo_file rw_fifo_file_perms;
 allow apt_t self:unix_dgram_socket create_socket_perms;
 allow apt_t self:unix_stream_socket rw_stream_socket_perms;
 allow apt_t self:unix_dgram_socket sendto;
@ -47,24 +47,22 @@ allow apt_t self:msgq create_msgq_perms;
 allow apt_t self:msg { send receive };
 # Access /var/cache/apt files
-allow apt_t apt_var_cache_t:file create_file_perms;
+manage_files_pattern(apt_t,apt_var_cache_t,apt_var_cache_t)
 allow apt_t apt_var_cache_t:dir rw_dir_perms;
 files_var_filetrans(apt_t,apt_var_cache_t,dir)
-allow apt_t apt_tmp_t:dir create_dir_perms;
+manage_dirs_pattern(apt_t,apt_tmp_t,apt_tmp_t)
-allow apt_t apt_tmp_t:file create_file_perms;
+manage_files_pattern(apt_t,apt_tmp_t,apt_tmp_t)
 files_tmp_filetrans(apt_t, apt_tmp_t, { file dir })
-allow apt_t apt_tmpfs_t:dir create_dir_perms;
+manage_dirs_pattern(apt_t,apt_tmpfs_t,apt_tmpfs_t)
-allow apt_t apt_tmpfs_t:file create_file_perms;
+manage_files_pattern(apt_t,apt_tmpfs_t,apt_tmpfs_t)
-allow apt_t apt_tmpfs_t:lnk_file create_file_perms;
+manage_lnk_files_pattern(apt_t,apt_tmpfs_t,apt_tmpfs_t)
-allow apt_t apt_tmpfs_t:sock_file create_file_perms;
+manage_fifo_files_pattern(apt_t,apt_tmpfs_t,apt_tmpfs_t)
-allow apt_t apt_tmpfs_t:fifo_file create_file_perms;
+manage_sock_files_pattern(apt_t,apt_tmpfs_t,apt_tmpfs_t)
 fs_tmpfs_filetrans(apt_t,apt_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
 # Access /var/lib/apt files
-allow apt_t apt_var_lib_t:file create_file_perms;
+manage_files_pattern(apt_t,apt_var_lib_t,apt_var_lib_t)
 allow apt_t apt_var_lib_t:dir rw_dir_perms;
 files_var_lib_filetrans(apt_t,apt_var_lib_t,dir)
 kernel_read_system_state(apt_t)
--- a/policy/modules/admin/backup.if
+++ b/policy/modules/admin/backup.if
@ -15,10 +15,7 @@ interface(`backup_domtrans',`
 		type backup_t, backup_exec_t;
 	')
-	domain_auto_trans($1,backup_exec_t,backup_t)
+	domtrans_pattern($1,backup_exec_t,backup_t)
 	allow backup_t $1:fd use;
 	allow backup_t $1:fifo_file rw_file_perms;
 	allow backup_t $1:process sigchld;
 ')
 ########################################
--- a/policy/modules/admin/backup.te
+++ b/policy/modules/admin/backup.te
@ -22,13 +22,14 @@ files_type(backup_store_t)
 allow backup_t self:capability dac_override;
 allow backup_t self:process signal;
-allow backup_t self:fifo_file rw_file_perms;
+allow backup_t self:fifo_file rw_fifo_file_perms;
 allow backup_t self:tcp_socket create_socket_perms;
 allow backup_t self:udp_socket create_socket_perms;
-allow backup_t backup_store_t:dir ra_dir_perms;
+allow backup_t backup_store_t:file setattr;
-allow backup_t backup_store_t:file { create rw_file_perms setattr };
+create_files_pattern(backup_t,backup_store_t,backup_store_t)
-allow backup_t backup_store_t:lnk_file { getattr read };
+rw_files_pattern(backup_t,backup_store_t,backup_store_t)
 read_lnk_files_pattern(backup_t,backup_store_t,backup_store_t)
 kernel_read_system_state(backup_t)
 kernel_read_kernel_sysctls(backup_t)
--- a/policy/modules/admin/bootloader.if
+++ b/policy/modules/admin/bootloader.if
@ -15,12 +15,7 @@ interface(`bootloader_domtrans',`
 		type bootloader_t, bootloader_exec_t;
 	')
-	domain_auto_trans($1, bootloader_exec_t, bootloader_t)
+	domtrans_pattern($1, bootloader_exec_t, bootloader_t)
 	allow $1 bootloader_t:fd use;
 	allow bootloader_t $1:fd use;
 	allow bootloader_t $1:fifo_file rw_file_perms;
 	allow bootloader_t $1:process sigchld;
 ')
 ########################################
@ -53,7 +48,7 @@ interface(`bootloader_run',`
 	bootloader_domtrans($1)
 	role $2 types bootloader_t;
-	allow bootloader_t $3:chr_file rw_file_perms;
+	allow bootloader_t $3:chr_file rw_term_perms;
 ')
 ########################################
@ -71,7 +66,7 @@ interface(`bootloader_read_config',`
 		type bootloader_etc_t;
 	')
-	allow $1 bootloader_etc_t:file r_file_perms;
+	allow $1 bootloader_etc_t:file read_file_perms;
 ')
 ########################################
@ -127,10 +122,9 @@ interface(`bootloader_rw_tmp_files',`
 #
 interface(`bootloader_create_runtime_file',`
 	gen_require(`
-		type boot_t, boot_runtime_t;
+		type boot_runtime_t;
 	')
-	allow $1 boot_t:dir rw_dir_perms;
+	allow $1 boot_runtime_t:file { create_file_perms rw_file_perms };
-	allow $1 boot_runtime_t:file { rw_file_perms create unlink };
+	files_boot_filetrans($1,boot_runtime_t,file)
 	type_transition $1 boot_t:file boot_runtime_t;
 ')
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@ -50,18 +50,18 @@ logging_log_file(var_log_ksyms_t)
 allow bootloader_t self:capability { dac_override dac_read_search fsetid sys_rawio sys_admin mknod chown };
 allow bootloader_t self:process { sigkill sigstop signull signal execmem };
-allow bootloader_t self:fifo_file rw_file_perms;
+allow bootloader_t self:fifo_file rw_fifo_file_perms;
-allow bootloader_t bootloader_etc_t:file r_file_perms;
+allow bootloader_t bootloader_etc_t:file read_file_perms;
 # uncomment the following lines if you use "lilo -p"
 #allow bootloader_t bootloader_etc_t:file manage_file_perms;
 #files_etc_filetrans(bootloader_t,bootloader_etc_t,file)
-allow bootloader_t bootloader_tmp_t:dir create_dir_perms;
+manage_dirs_pattern(bootloader_t,bootloader_tmp_t,bootloader_tmp_t)
-allow bootloader_t bootloader_tmp_t:file create_file_perms;
+manage_files_pattern(bootloader_t,bootloader_tmp_t,bootloader_tmp_t)
-allow bootloader_t bootloader_tmp_t:chr_file create_file_perms;
+manage_lnk_files_pattern(bootloader_t,bootloader_tmp_t,bootloader_tmp_t)
-allow bootloader_t bootloader_tmp_t:blk_file create_file_perms;
+manage_blk_files_pattern(bootloader_t,bootloader_tmp_t,bootloader_tmp_t)
-allow bootloader_t bootloader_tmp_t:lnk_file create_lnk_perms;
+manage_chr_files_pattern(bootloader_t,bootloader_tmp_t,bootloader_tmp_t)
 files_tmp_filetrans(bootloader_t,bootloader_tmp_t,{ dir file lnk_file chr_file blk_file })
 # for tune2fs (cjp: ?)
 files_root_filetrans(bootloader_t,bootloader_tmp_t,file)
@ -161,7 +161,7 @@ ifdef(`distro_redhat',`
 	allow bootloader_t self:capability ipc_lock;
 	# new file system defaults to file_t, granting file_t access is still bad.
-	allow bootloader_t boot_runtime_t:file { r_file_perms unlink };
+	allow bootloader_t boot_runtime_t:file { read_file_perms unlink };
 	# mkinitrd mount initrd on bootloader temp dir
 	files_mountpoint(bootloader_tmp_t)
--- a/policy/modules/admin/certwatch.if
+++ b/policy/modules/admin/certwatch.if
@ -17,12 +17,7 @@ interface(`certwatch_domtrans',`
 	files_search_usr($1)
 	corecmd_search_sbin($1)
-	domain_auto_trans($1,certwatch_exec_t,certwatch_t)
+	domtrans_pattern($1,certwatch_exec_t,certwatch_t)
 	allow $1 certwatch_t:fd use;
 	allow certwatch_t $1:fd use;
 	allow certwatch_t $1:fifo_file rw_file_perms;
 	allow certwatch_t $1:process sigchld;
 ')
 ########################################
--- a/policy/modules/admin/consoletype.if
+++ b/policy/modules/admin/consoletype.if
@ -18,12 +18,7 @@ interface(`consoletype_domtrans',`
 	')
 	corecmd_search_sbin($1)
-	domain_auto_trans($1,consoletype_exec_t,consoletype_t)
+	domtrans_pattern($1,consoletype_exec_t,consoletype_t)
 	allow $1 consoletype_t:fd use;
 	allow consoletype_t $1:fd use;
 	allow consoletype_t $1:fifo_file rw_file_perms;
 	allow consoletype_t $1:process sigchld;
 ')
 ########################################
--- a/policy/modules/admin/consoletype.te
+++ b/policy/modules/admin/consoletype.te
@ -25,8 +25,8 @@ ifdef(`targeted_policy',`',`
 allow consoletype_t self:capability sys_admin;
 allow consoletype_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow consoletype_t self:fd use;
-allow consoletype_t self:fifo_file rw_file_perms;
+allow consoletype_t self:fifo_file rw_fifo_file_perms;
-allow consoletype_t self:sock_file r_file_perms;
+allow consoletype_t self:sock_file read_sock_file_perms;
 allow consoletype_t self:unix_dgram_socket create_socket_perms;
 allow consoletype_t self:unix_stream_socket create_stream_socket_perms;
 allow consoletype_t self:unix_dgram_socket sendto;
--- a/policy/modules/admin/ddcprobe.if
+++ b/policy/modules/admin/ddcprobe.if
@ -15,12 +15,7 @@ interface(`ddcprobe_domtrans',`
 		type ddcprobe_t, ddcprobe_exec_t;
 	')
-	domain_auto_trans($1,ddcprobe_exec_t,ddcprobe_t)
+	domtrans_pattern($1,ddcprobe_exec_t,ddcprobe_t)
 	allow $1 ddcprobe_t:fd use;
 	allow ddcprobe_t $1:fd use;
 	allow ddcprobe_t $1:fifo_file rw_file_perms;
 	allow ddcprobe_t $1:process sigchld;
 ')
 ########################################
--- a/policy/modules/admin/dpkg.if
+++ b/policy/modules/admin/dpkg.if
@ -19,13 +19,7 @@ interface(`dpkg_domtrans',`
 	files_search_usr($1)
 	corecmd_search_bin($1)
-	domain_auto_trans($1,dpkg_exec_t,dpkg_t)
+	domtrans_pattern($1,dpkg_exec_t,dpkg_t)
 	# allow basic communication
 	allow $1 dpkg_t:fd use;
 	allow dpkg_t $1:fd use;
 	allow dpkg_t $1:fifo_file rw_file_perms;
 	allow dpkg_t $1:process sigchld;
 ')
 ########################################
@ -45,8 +39,6 @@ interface(`dpkg_domtrans_script',`
 	# transition to dpkg script:
 	corecmd_shell_domtrans($1,dpkg_script_t)
 	allow $1 dpkg_script_t:fd use;
 	allow dpkg_script_t $1:fd use;
 	allow dpkg_script_t $1:fifo_file rw_file_perms;
 	allow dpkg_script_t $1:process sigchld;
@ -118,7 +110,7 @@ interface(`dpkg_read_pipes',`
 		type dpkg_t;
 	')
-	allow $1 dpkg_t:fifo_file r_file_perms;
+	allow $1 dpkg_t:fifo_file read_fifo_file_perms;
 ')
 ########################################
@ -136,7 +128,7 @@ interface(`dpkg_rw_pipes',`
 		type dpkg_t;
 	')
-	allow $1 dpkg_t:fifo_file rw_file_perms;
+	allow $1 dpkg_t:fifo_file rw_fifo_file_perms;
 ')
 ########################################
@ -173,9 +165,9 @@ interface(`dpkg_read_db',`
 	')
 	files_search_var_lib($1)
-	allow $1 dpkg_var_lib_t:dir r_dir_perms;
+	allow $1 dpkg_var_lib_t:dir list_dir_perms;
-	allow $1 dpkg_var_lib_t:file { getattr read };
+	read_files_pattern($1,dpkg_var_lib_t,dpkg_var_lib_t)
-	allow $1 dpkg_var_lib_t:lnk_file r_file_perms;
+	read_lnk_files_pattern($1,dpkg_var_lib_t,dpkg_var_lib_t)
 ')
 ########################################
@ -194,9 +186,8 @@ interface(`dpkg_manage_db',`
 	')
 	files_search_var_lib($1)
-	allow $1 dpkg_var_lib_t:dir rw_dir_perms;
+	manage_files_pattern($1,dpkg_var_lib_t,dpkg_var_lib_t)
-	allow $1 dpkg_var_lib_t:file manage_file_perms;
+	manage_lnk_files_pattern($1,dpkg_var_lib_t,dpkg_var_lib_t)
 	allow $1 dpkg_var_lib_t:lnk_file { getattr read write unlink };
 ')
 ########################################
@ -217,7 +208,7 @@ interface(`dpkg_dontaudit_manage_db',`
 	dontaudit $1 dpkg_var_lib_t:dir rw_dir_perms;
 	dontaudit $1 dpkg_var_lib_t:file manage_file_perms;
-	dontaudit $1 dpkg_var_lib_t:lnk_file create_lnk_perms;
+	dontaudit $1 dpkg_var_lib_t:lnk_file manage_lnk_file_perms;
 ')
 ########################################
@ -236,6 +227,6 @@ interface(`dpkg_lock_db',`
 	')
 	files_search_var_lib($1)
-	allow $1 dpkg_var_lib_t:dir r_dir_perms;
+	allow $1 dpkg_var_lib_t:dir list_dir_perms;
 	allow $1 dpkg_lock_t:file { getattr create read write append unlink lock };
 ')
--- a/policy/modules/admin/dpkg.te
+++ b/policy/modules/admin/dpkg.te
@ -55,7 +55,7 @@ files_tmpfs_file(dpkg_script_tmpfs_t)
 allow dpkg_t self:capability { chown dac_override fowner fsetid setgid setuid kill sys_tty_config sys_nice sys_resource mknod linux_immutable };
 allow dpkg_t self:process { setpgid fork getsched setfscreate };
 allow dpkg_t self:fd use;
-allow dpkg_t self:fifo_file rw_file_perms;
+allow dpkg_t self:fifo_file rw_fifo_file_perms;
 allow dpkg_t self:unix_dgram_socket create_socket_perms;
 allow dpkg_t self:unix_stream_socket rw_stream_socket_perms;
 allow dpkg_t self:unix_dgram_socket sendto;
@ -69,20 +69,19 @@ allow dpkg_t self:msg { send receive };
 allow dpkg_t dpkg_lock_t:file manage_file_perms;
-allow dpkg_t dpkg_tmp_t:dir manage_dir_perms;
+manage_dirs_pattern(dpkg_t,dpkg_tmp_t,dpkg_tmp_t)
-allow dpkg_t dpkg_tmp_t:file manage_file_perms;
+manage_files_pattern(dpkg_t,dpkg_tmp_t,dpkg_tmp_t)
 files_tmp_filetrans(dpkg_t, dpkg_tmp_t, { file dir })
-allow dpkg_t dpkg_tmpfs_t:dir manage_dir_perms;
+manage_dirs_pattern(dpkg_t,dpkg_tmpfs_t,dpkg_tmpfs_t)
-allow dpkg_t dpkg_tmpfs_t:file manage_file_perms;
+manage_files_pattern(dpkg_t,dpkg_tmpfs_t,dpkg_tmpfs_t)
-allow dpkg_t dpkg_tmpfs_t:lnk_file manage_file_perms;
+manage_lnk_files_pattern(dpkg_t,dpkg_tmpfs_t,dpkg_tmpfs_t)
-allow dpkg_t dpkg_tmpfs_t:sock_file manage_file_perms;
+manage_sock_files_pattern(dpkg_t,dpkg_tmpfs_t,dpkg_tmpfs_t)
-allow dpkg_t dpkg_tmpfs_t:fifo_file manage_file_perms;
+manage_fifo_files_pattern(dpkg_t,dpkg_tmpfs_t,dpkg_tmpfs_t)
 fs_tmpfs_filetrans(dpkg_t,dpkg_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
 # Access /var/lib/dpkg files
-allow dpkg_t dpkg_var_lib_t:file manage_file_perms;
+manage_files_pattern(dpkg_t,dpkg_var_lib_t,dpkg_var_lib_t)
 allow dpkg_t dpkg_var_lib_t:dir rw_dir_perms;
 files_var_lib_filetrans(dpkg_t,dpkg_var_lib_t,dir)
 kernel_read_system_state(dpkg_t)
--- a/policy/modules/admin/firstboot.if
+++ b/policy/modules/admin/firstboot.if
@ -18,12 +18,7 @@ interface(`firstboot_domtrans',`
 		type firstboot_t, firstboot_exec_t;
 	')
-	domain_auto_trans($1,firstboot_exec_t,firstboot_t)
+	domtrans_pattern($1,firstboot_exec_t,firstboot_t)
 	allow $1 firstboot_t:fd use;
 	allow firstboot_t $1:fd use;
 	allow firstboot_t $1:fifo_file rw_file_perms;
 	allow firstboot_t $1:process sigchld;
 ')
 ########################################
--- a/policy/modules/admin/kudzu.if
+++ b/policy/modules/admin/kudzu.if
@ -15,12 +15,7 @@ interface(`kudzu_domtrans',`
 		type kudzu_t, kudzu_exec_t;
 	')
-	domain_auto_trans($1,kudzu_exec_t,kudzu_t)
+	domtrans_pattern($1,kudzu_exec_t,kudzu_t)
 	allow $1 kudzu_t:fd use;
 	allow kudzu_t $1:fd use;
 	allow kudzu_t $1:fifo_file rw_file_perms;
 	allow kudzu_t $1:process sigchld;
 ')
 ########################################
--- a/policy/modules/admin/kudzu.te
+++ b/policy/modules/admin/kudzu.te
@ -24,17 +24,18 @@ files_pid_file(kudzu_var_run_t)
 allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod };
 dontaudit kudzu_t self:capability sys_tty_config;
 allow kudzu_t self:process { signal_perms execmem };
-allow kudzu_t self:fifo_file rw_file_perms;
+allow kudzu_t self:fifo_file rw_fifo_file_perms;
 allow kudzu_t self:unix_stream_socket { connectto create_stream_socket_perms };
 allow kudzu_t self:unix_dgram_socket create_socket_perms;
 allow kudzu_t self:udp_socket { create ioctl };
-allow kudzu_t kudzu_tmp_t:dir create_file_perms;
+manage_dirs_pattern(kudzu_t,kudzu_tmp_t,kudzu_tmp_t)
-allow kudzu_t kudzu_tmp_t:{ file chr_file } create_file_perms;
+manage_files_pattern(kudzu_t,kudzu_tmp_t,kudzu_tmp_t)
 manage_chr_files_pattern(kudzu_t,kudzu_tmp_t,kudzu_tmp_t)
 files_tmp_filetrans(kudzu_t, kudzu_tmp_t, { file dir chr_file })
-allow kudzu_t kudzu_var_run_t:file create_file_perms;
+manage_dirs_pattern(kudzu_t,kudzu_var_run_t,kudzu_var_run_t)
-allow kudzu_t kudzu_var_run_t:dir create_dir_perms;
+manage_files_pattern(kudzu_t,kudzu_var_run_t,kudzu_var_run_t)
 files_pid_filetrans(kudzu_t,kudzu_var_run_t,file)
 kernel_change_ring_buffer_level(kudzu_t)
--- a/policy/modules/admin/logrotate.if
+++ b/policy/modules/admin/logrotate.if
@ -15,12 +15,7 @@ interface(`logrotate_domtrans',`
 		type logrotate_t, logrotate_exec_t;
 	')
-	domain_auto_trans($1,logrotate_exec_t,logrotate_t)
+	domtrans_pattern($1,logrotate_exec_t,logrotate_t)
 	allow $1 logrotate_t:fd use;
 	allow logrotate_t $1:fd use;
 	allow logrotate_t $1:fifo_file rw_file_perms;
 	allow logrotate_t $1:process sigchld;
 ')
 ########################################
@ -125,5 +120,5 @@ interface(`logrotate_read_tmp_files',`
 	')
 	files_search_tmp($1)
-	allow $1 logrotate_tmp_t:file r_file_perms;
+	allow $1 logrotate_tmp_t:file read_file_perms;
 ')
--- a/policy/modules/admin/logrotate.te
+++ b/policy/modules/admin/logrotate.te
@ -40,7 +40,7 @@ allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimi
 allow logrotate_t self:process setfscreate;
 allow logrotate_t self:fd use;
-allow logrotate_t self:fifo_file rw_file_perms;
+allow logrotate_t self:fifo_file rw_fifo_file_perms;
 allow logrotate_t self:unix_dgram_socket create_socket_perms;
 allow logrotate_t self:unix_stream_socket create_stream_socket_perms;
 allow logrotate_t self:unix_dgram_socket sendto;
@ -50,18 +50,18 @@ allow logrotate_t self:sem create_sem_perms;
 allow logrotate_t self:msgq create_msgq_perms;
 allow logrotate_t self:msg { send receive };
-allow logrotate_t logrotate_lock_t:file create_file_perms;
+allow logrotate_t logrotate_lock_t:file manage_file_perms;
 files_lock_filetrans(logrotate_t,logrotate_lock_t,file)
 can_exec(logrotate_t, logrotate_tmp_t)
-allow logrotate_t logrotate_tmp_t:dir create_dir_perms;
+manage_dirs_pattern(logrotate_t,logrotate_tmp_t,logrotate_tmp_t)
-allow logrotate_t logrotate_tmp_t:file create_file_perms;
+manage_files_pattern(logrotate_t,logrotate_tmp_t,logrotate_tmp_t)
 files_tmp_filetrans(logrotate_t, logrotate_tmp_t, { file dir })
 # for /var/lib/logrotate.status and /var/lib/logcheck
-allow logrotate_t logrotate_var_lib_t:dir { create rw_dir_perms };
+create_dirs_pattern(logrotate_t,logrotate_var_lib_t,logrotate_var_lib_t)
-allow logrotate_t logrotate_var_lib_t:file create_file_perms;
+manage_files_pattern(logrotate_t,logrotate_var_lib_t,logrotate_var_lib_t)
 files_var_lib_filetrans(logrotate_t, logrotate_var_lib_t, file)
 kernel_read_system_state(logrotate_t)
--- a/policy/modules/admin/logwatch.if
+++ b/policy/modules/admin/logwatch.if
@ -16,7 +16,7 @@ interface(`logwatch_read_tmp_files',`
 	')
 	files_search_tmp($1)
-	allow $1 logwatch_tmp_t:file r_file_perms;
+	allow $1 logwatch_tmp_t:file read_file_perms;
 ')
 ########################################
@ -34,5 +34,5 @@ interface(`logwatch_search_cache_dir',`
 		type logwatch_cache_t;
 	')
-	allow $1 logwatch_cache_t:dir search;
+	allow $1 logwatch_cache_t:dir search_dir_perms;
 ')
--- a/policy/modules/admin/logwatch.te
+++ b/policy/modules/admin/logwatch.te
@ -31,14 +31,14 @@ allow logwatch_t self:process signal;
 allow logwatch_t self:fifo_file rw_file_perms;
 allow logwatch_t self:unix_stream_socket create_stream_socket_perms;
-allow logwatch_t logwatch_cache_t:dir create_dir_perms;
+manage_dirs_pattern(logwatch_t,logwatch_cache_t,logwatch_cache_t)
-allow logwatch_t logwatch_cache_t:file create_file_perms;
+manage_files_pattern(logwatch_t,logwatch_cache_t,logwatch_cache_t)
 allow logwatch_t logwatch_lock_t:file manage_file_perms;
 files_lock_filetrans(logwatch_t,logwatch_lock_t,file)
-allow logwatch_t logwatch_tmp_t:dir create_dir_perms;
+manage_dirs_pattern(logwatch_t,logwatch_tmp_t,logwatch_tmp_t)
-allow logwatch_t logwatch_tmp_t:file create_file_perms;
+manage_files_pattern(logwatch_t,logwatch_tmp_t,logwatch_tmp_t)
 files_tmp_filetrans(logwatch_t, logwatch_tmp_t, { file dir })
 kernel_read_fs_sysctls(logwatch_t)
--- a/policy/modules/admin/mrtg.if
+++ b/policy/modules/admin/mrtg.if
@ -14,6 +14,7 @@ interface(`mrtg_append_create_logs',`
 	gen_require(`
 		type mrtg_log_t;
 	')
-	allow $1 mrtg_log_t:dir rw_dir_perms;
+
-	allow $1 mrtg_log_t:file { create append getattr };
+	append_files_pattern($1,mrtg_log_t,mrtg_log_t)
 	create_files_pattern($1,mrtg_log_t,mrtg_log_t)
 ')
--- a/policy/modules/admin/mrtg.te
+++ b/policy/modules/admin/mrtg.te
@ -38,31 +38,24 @@ allow mrtg_t self:unix_stream_socket create_socket_perms;
 allow mrtg_t self:tcp_socket create_socket_perms;
 allow mrtg_t self:udp_socket create_socket_perms;
-allow mrtg_t mrtg_etc_t:file r_file_perms;
+allow mrtg_t mrtg_etc_t:dir list_dir_perms;
-allow mrtg_t mrtg_etc_t:dir r_dir_perms;
+read_files_pattern(mrtg_t,mrtg_etc_t,mrtg_etc_t)
-allow mrtg_t mrtg_etc_t:lnk_file { getattr read };
+read_lnk_files_pattern(mrtg_t,mrtg_etc_t,mrtg_etc_t)
-files_search_etc(mrtg_t)
+dontaudit mrtg_t mrtg_etc_t:dir write;
 dontaudit mrtg_t mrtg_etc_t:file { write ioctl };
-allow mrtg_t mrtg_lock_t:dir rw_dir_perms;
+manage_files_pattern(mrtg_t,mrtg_lock_t,mrtg_lock_t)
-allow mrtg_t mrtg_lock_t:file create_file_perms;
+manage_lnk_files_pattern(mrtg_t,mrtg_lock_t,mrtg_lock_t)
 allow mrtg_t mrtg_lock_t:lnk_file create_lnk_perms;
-allow mrtg_t mrtg_log_t:file create_file_perms;
+manage_files_pattern(mrtg_t,mrtg_log_t,mrtg_log_t)
 allow mrtg_t mrtg_log_t:dir rw_dir_perms;
 logging_log_filetrans(mrtg_t,mrtg_log_t,{ file dir })
-allow mrtg_t mrtg_var_lib_t:dir rw_dir_perms;
+manage_files_pattern(mrtg_t,mrtg_var_lib_t,mrtg_var_lib_t)
-allow mrtg_t mrtg_var_lib_t:file create_file_perms;
+manage_lnk_files_pattern(mrtg_t,mrtg_var_lib_t,mrtg_var_lib_t)
 allow mrtg_t mrtg_var_lib_t:lnk_file create_lnk_perms;
 allow mrtg_t mrtg_var_run_t:file manage_file_perms;
 files_pid_filetrans(mrtg_t,mrtg_var_run_t,file)
 # read config files
 dontaudit mrtg_t mrtg_etc_t:dir write;
 dontaudit mrtg_t mrtg_etc_t:file { write ioctl };
 files_read_etc_files(mrtg_t)
 kernel_read_system_state(mrtg_t)
 kernel_read_network_state(mrtg_t)
 kernel_read_kernel_sysctls(mrtg_t)
@ -94,6 +87,8 @@ files_search_spool(mrtg_t)
 files_getattr_tmp_dirs(mrtg_t)
 # for uptime
 files_read_etc_runtime_files(mrtg_t)
 # read config files
 files_read_etc_files(mrtg_t)
 fs_search_auto_mountpoints(mrtg_t)
 fs_getattr_xattr_fs(mrtg_t)
@ -127,9 +122,8 @@ ifdef(`enable_mls',`
 ')
 ifdef(`distro_redhat',`
-	allow mrtg_t mrtg_etc_t:dir rw_dir_perms;
+	allow mrtg_t mrtg_lock_t:file manage_file_perms;
-	allow mrtg_t mrtg_lock_t:file create_file_perms;
+	filetrans_pattern(mrtg_t,mrtg_etc_t,mrtg_lock_t,file)
 	type_transition mrtg_t mrtg_etc_t:file mrtg_lock_t;
 ')
 ifdef(`targeted_policy',`
--- a/policy/modules/admin/netutils.if
+++ b/policy/modules/admin/netutils.if
@ -15,12 +15,7 @@ interface(`netutils_domtrans',`
 		type netutils_t, netutils_exec_t;
 	')
-	domain_auto_trans($1,netutils_exec_t,netutils_t)
+	domtrans_pattern($1,netutils_exec_t,netutils_t)
 	allow $1 netutils_t:fd use;
 	allow netutils_t $1:fd use;
 	allow netutils_t $1:fifo_file rw_file_perms;
 	allow netutils_t $1:process sigchld;
 ')
 ########################################
@ -88,12 +83,7 @@ interface(`netutils_domtrans_ping',`
 		type ping_t, ping_exec_t;
 	')
-	domain_auto_trans($1,ping_exec_t,ping_t)
+	domtrans_pattern($1,ping_exec_t,ping_t)
 	allow $1 ping_t:fd use;
 	allow ping_t $1:fd use;
 	allow ping_t $1:fifo_file rw_file_perms;
 	allow ping_t $1:process sigchld;
 ')
 ########################################
@ -233,12 +223,7 @@ interface(`netutils_domtrans_traceroute',`
 		type traceroute_t, traceroute_exec_t;
 	')
-	domain_auto_trans($1,traceroute_exec_t,traceroute_t)
+	domtrans_pattern($1,traceroute_exec_t,traceroute_t)
 	allow $1 traceroute_t:fd use;
 	allow traceroute_t $1:fd use;
 	allow traceroute_t $1:fifo_file rw_file_perms;
 	allow traceroute_t $1:process sigchld;
 ')
 ########################################
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@ -37,8 +37,8 @@ allow netutils_t self:packet_socket create_socket_perms;
 allow netutils_t self:udp_socket create_socket_perms;
 allow netutils_t self:tcp_socket create_stream_socket_perms;
-allow netutils_t netutils_tmp_t:dir create_dir_perms;
+manage_dirs_pattern(netutils_t,netutils_tmp_t,netutils_tmp_t)
-allow netutils_t netutils_tmp_t:file create_file_perms;
+manage_files_pattern(netutils_t,netutils_tmp_t,netutils_tmp_t)
 files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir })
 kernel_search_proc(netutils_t)
@ -98,7 +98,6 @@ optional_policy(`
 allow ping_t self:capability { setuid net_raw };
 dontaudit ping_t self:capability sys_tty_config;
 allow ping_t self:tcp_socket create_socket_perms;
 allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
 allow ping_t self:packet_socket { create ioctl read write bind getopt setopt };
@ -120,11 +119,11 @@ files_dontaudit_search_var(ping_t)
 libs_use_ld_so(ping_t)
 libs_use_shared_libs(ping_t)
 logging_send_syslog_msg(ping_t)
 sysnet_read_config(ping_t)
 sysnet_dns_name_resolve(ping_t)
 logging_send_syslog_msg(ping_t)
 ifdef(`hide_broken_symptoms',`
 	init_dontaudit_use_fds(ping_t)
 ')
--- a/policy/modules/admin/portage.if
+++ b/policy/modules/admin/portage.if
@ -28,10 +28,7 @@ interface(`portage_domtrans',`
 	allow portage_t $1:process sigchld;
 	# transition to portage
-	domain_auto_trans($1,portage_exec_t,portage_t.merge)
+	domtrans_pattern($1,portage_exec_t,portage_t.merge)
 	allow portage_t.merge $1:fd use;
 	allow portage_t.merge $1:fifo_file rw_file_perms;
 	allow portage_t.merge $1:process sigchld;
 ')
 ########################################
@ -102,7 +99,7 @@ interface(`portage_compile_domain',`
 	allow $1 self:process { setpgid setsched setrlimit signal_perms execmem };
 	allow $1 self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 	allow $1 self:fd use;
-	allow $1 self:fifo_file rw_file_perms;
+	allow $1 self:fifo_file rw_fifo_file_perms;
 	allow $1 self:shm create_shm_perms;
 	allow $1 self:sem create_sem_perms;
 	allow $1 self:msgq create_msgq_perms;
@ -120,7 +117,7 @@ interface(`portage_compile_domain',`
 	allow $1 self:netlink_selinux_socket { bind create read };
 	allow $1 self:dbus send_msg;
-	allow $1 portage_devpts_t:chr_file { rw_file_perms setattr };
+	allow $1 portage_devpts_t:chr_file { rw_chr_file_perms setattr };
 	term_create_pty($1,portage_devpts_t)
 	# write compile logs
@ -130,18 +127,17 @@ interface(`portage_compile_domain',`
 	# run scripts out of the build directory
 	can_exec(portage_sandbox_t,portage_tmp_t)
-	allow $1 portage_tmp_t:dir manage_dir_perms;
+	manage_dirs_pattern($1,portage_tmp_t,portage_tmp_t)
-	allow $1 portage_tmp_t:file manage_file_perms;
+	manage_files_pattern($1,portage_tmp_t,portage_tmp_t)
-	allow $1 portage_tmp_t:lnk_file create_lnk_perms;
+	manage_lnk_files_pattern($1,portage_tmp_t,portage_tmp_t)
-	allow $1 portage_tmp_t:fifo_file manage_file_perms;
+	manage_fifo_files_pattern($1,portage_tmp_t,portage_tmp_t)
-	allow $1 portage_tmp_t:sock_file manage_file_perms;
+	manage_sock_files_pattern($1,portage_tmp_t,portage_tmp_t)
 	files_tmp_filetrans($1,portage_tmp_t,{ dir file lnk_file sock_file fifo_file })
-	allow $1 portage_tmpfs_t:dir rw_dir_perms;
+	manage_files_pattern($1,portage_tmpfs_t,portage_tmpfs_t)
-	allow $1 portage_tmpfs_t:file manage_file_perms;
+	manage_lnk_files_pattern($1,portage_tmpfs_t,portage_tmpfs_t)
-	allow $1 portage_tmpfs_t:lnk_file create_lnk_perms;
+	manage_fifo_files_pattern($1,portage_tmpfs_t,portage_tmpfs_t)
-	allow $1 portage_tmpfs_t:sock_file manage_file_perms;
+	manage_sock_files_pattern($1,portage_tmpfs_t,portage_tmpfs_t)
 	allow $1 portage_tmpfs_t:fifo_file manage_file_perms;
 	fs_tmpfs_filetrans($1,portage_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
 	kernel_read_system_state($1)
@ -229,13 +225,13 @@ interface(`portage_fetch_domain',`
 	allow $1 self:tcp_socket create_stream_socket_perms;
 	allow $1 portage_conf_t:dir list_dir_perms;
-	allow $1 portage_conf_t:file read_file_perms;
+	read_files_pattern($1,portage_conf_t,portage_conf_t)
-	allow $1 portage_ebuild_t:dir manage_dir_perms;
+	manage_dirs_pattern($1,portage_ebuild_t,portage_ebuild_t)
-	allow $1 portage_ebuild_t:file manage_file_perms;
+	manage_files_pattern($1,portage_ebuild_t,portage_ebuild_t)
-	allow $1 portage_fetch_tmp_t:dir manage_dir_perms;
+	manage_dirs_pattern($1,portage_fetch_tmp_t,portage_fetch_tmp_t)
-	allow $1 portage_fetch_tmp_t:file manage_file_perms;
+	manage_files_pattern($1,portage_fetch_tmp_t,portage_fetch_tmp_t)
 	# portage makes home dir the portage tmp dir, so
 	# wget looks for .wgetrc there
@ -302,7 +298,7 @@ interface(`portage_main_domain',`
 	# performed in the main domain
 	portage_compile_domain($1)
-	allow $1 portage_log_t:file create_file_perms;
+	allow $1 portage_log_t:file manage_file_perms;
 	logging_log_filetrans($1,portage_log_t,file)
 	# run scripts out of the build directory
@ -371,10 +367,7 @@ interface(`portage_domtrans_gcc_config',`
 	files_search_usr($1)
 	corecmd_search_bin($1)
-	domain_auto_trans($1,gcc_config_exec_t,gcc_config_t)
+	domtrans_pattern($1,gcc_config_exec_t,gcc_config_t)
 	allow gcc_config_t $1:fd use;
 	allow gcc_config_t $1:fifo_file rw_file_perms;
 	allow gcc_config_t $1:process sigchld;
 ')
 ########################################
--- a/policy/modules/admin/portage.te
+++ b/policy/modules/admin/portage.te
@ -75,14 +75,12 @@ files_tmpfs_file(portage_tmpfs_t)
 allow gcc_config_t self:capability { chown fsetid };
 allow gcc_config_t self:fifo_file rw_file_perms;
-allow gcc_config_t portage_cache_t:dir rw_dir_perms;
+manage_files_pattern(gcc_config_t,portage_cache_t,portage_cache_t)
 allow gcc_config_t portage_cache_t:file create_file_perms;
-allow gcc_config_t portage_conf_t:dir search_dir_perms;
+read_files_pattern(gcc_config_t,portage_conf_t,portage_conf_t)
 allow gcc_config_t portage_conf_t:file read_file_perms;
 allow gcc_config_t portage_ebuild_t:dir list_dir_perms;
-allow gcc_config_t portage_ebuild_t:file read_file_perms;
+read_files_pattern(gcc_config_t,portage_ebuild_t,portage_ebuild_t)
 allow gcc_config_t portage_exec_t:file { execute getattr };
--- a/policy/modules/admin/prelink.if
+++ b/policy/modules/admin/prelink.if
@ -16,12 +16,7 @@ interface(`prelink_domtrans',`
 	')
 	corecmd_search_sbin($1)
-	domain_auto_trans($1, prelink_exec_t, prelink_t)
+	domtrans_pattern($1, prelink_exec_t, prelink_t)
 	allow $1 prelink_t:fd use;
 	allow prelink_t $1:fd use;
 	allow prelink_t $1:fifo_file rw_file_perms;
 	allow prelink_t $1:process sigchld;
 ')
 ########################################
@ -98,6 +93,5 @@ interface(`prelink_manage_log',`
 	')
 	logging_search_logs($1)
-	allow $1 prelink_log_t:dir rw_dir_perms;
+	manage_files_pattern($1,prelink_log_t,prelink_log_t)
 	allow $1 prelink_log_t:file create_file_perms;
 ')
--- a/policy/modules/admin/prelink.te
+++ b/policy/modules/admin/prelink.te
@ -25,20 +25,21 @@ logging_log_file(prelink_log_t)
 allow prelink_t self:capability { chown dac_override fowner fsetid };
 allow prelink_t self:process { execheap execmem execstack signal };
-allow prelink_t self:fifo_file rw_file_perms;
+allow prelink_t self:fifo_file rw_fifo_file_perms;
 allow prelink_t prelink_cache_t:file manage_file_perms;
 files_etc_filetrans(prelink_t, prelink_cache_t, file)
 files_var_lib_filetrans(prelink_t, prelink_cache_t, file)
-allow prelink_t prelink_log_t:dir { setattr rw_dir_perms };
+allow prelink_t prelink_log_t:dir setattr;
-allow prelink_t prelink_log_t:file { create ra_file_perms };
+create_files_pattern(prelink_t,prelink_log_t,prelink_log_t)
-allow prelink_t prelink_log_t:lnk_file read;
+append_files_pattern(prelink_t,prelink_log_t,prelink_log_t)
 read_lnk_files_pattern(prelink_t,prelink_log_t,prelink_log_t)
 logging_log_filetrans(prelink_t, prelink_log_t, file)
 # prelink misc objects that are not system
 # libraries or entrypoints
-allow prelink_t prelink_object:file { create_file_perms execute relabelto relabelfrom };
+allow prelink_t prelink_object:file { manage_file_perms execute relabelto relabelfrom };
 kernel_read_system_state(prelink_t)
 kernel_dontaudit_search_kernel_sysctl(prelink_t)
--- a/policy/modules/admin/quota.if
+++ b/policy/modules/admin/quota.if
@ -15,12 +15,7 @@ interface(`quota_domtrans',`
 		type quota_t, quota_exec_t;
 	')
-	domain_auto_trans($1,quota_exec_t,quota_t)
+	domtrans_pattern($1,quota_exec_t,quota_t)
 	allow $1 quota_t:fd use;
 	allow quota_t $1:fd use;
 	allow quota_t $1:fifo_file rw_file_perms;
 	allow quota_t $1:process sigchld;
 ')
 ########################################
@ -91,6 +86,5 @@ interface(`quota_manage_flags',`
 	')
 	files_search_var_lib($1)
-	allow $1 quota_flag_t:dir rw_dir_perms;
+	manage_files_pattern($1,quota_flag_t,quota_flag_t)
 	allow $1 quota_flag_t:file create_file_perms;
 ')
--- a/policy/modules/admin/quota.te
+++ b/policy/modules/admin/quota.te
@ -16,6 +16,11 @@ files_type(quota_db_t)
 type quota_flag_t;
 files_type(quota_flag_t)
 ########################################
 #
 # Local policy
 #
 allow quota_t self:capability { sys_admin dac_override };
 dontaudit quota_t self:capability sys_tty_config;
 allow quota_t self:process signal_perms;
--- a/policy/modules/admin/readahead.te
+++ b/policy/modules/admin/readahead.te
@ -21,8 +21,7 @@ files_pid_file(readahead_var_run_t)
 dontaudit readahead_t self:capability { dac_override dac_read_search sys_tty_config };
 allow readahead_t self:process signal_perms;
-allow readahead_t readahead_var_run_t:file create_file_perms;
+manage_files_pattern(readahead_t,readahead_var_run_t,readahead_var_run_t)
 allow readahead_t readahead_var_run_t:dir rw_dir_perms;
 files_pid_filetrans(readahead_t,readahead_var_run_t,file)
 kernel_read_kernel_sysctls(readahead_t)
--- a/policy/modules/admin/rpm.if
+++ b/policy/modules/admin/rpm.if
@ -17,12 +17,7 @@ interface(`rpm_domtrans',`
 	files_search_usr($1)
 	corecmd_search_bin($1)
-	domain_auto_trans($1,rpm_exec_t,rpm_t)
+	domtrans_pattern($1,rpm_exec_t,rpm_t)
 	allow $1 rpm_t:fd use;
 	allow rpm_t $1:fd use;
 	allow rpm_t $1:fifo_file rw_file_perms;
 	allow rpm_t $1:process sigchld;
 ')
 ########################################
@ -42,8 +37,6 @@ interface(`rpm_domtrans_script',`
 	# transition to rpm script:
 	corecmd_shell_domtrans($1,rpm_script_t)
 	allow $1 rpm_script_t:fd use;
 	allow rpm_script_t $1:fd use;
 	allow rpm_script_t $1:fifo_file rw_file_perms;
 	allow rpm_script_t $1:process sigchld;
@ -137,7 +130,7 @@ interface(`rpm_read_pipes',`
 		type rpm_t;
 	')
-	allow $1 rpm_t:fifo_file r_file_perms;
+	allow $1 rpm_t:fifo_file read_fifo_file_perms;
 ')
 ########################################
@ -155,7 +148,7 @@ interface(`rpm_rw_pipes',`
 		type rpm_t;
 	')
-	allow $1 rpm_t:fifo_file rw_file_perms;
+	allow $1 rpm_t:fifo_file rw_fifo_file_perms;
 ')
 ########################################
@ -195,7 +188,7 @@ interface(`rpm_manage_log',`
 	')
 	logging_rw_generic_log_dirs($1)
-	allow $1 rpm_log_t:file create_file_perms;
+	allow $1 rpm_log_t:file manage_file_perms;
 ')
 ########################################
@ -232,9 +225,9 @@ interface(`rpm_read_db',`
 	')
 	files_search_var_lib($1)
-	allow $1 rpm_var_lib_t:dir r_dir_perms;
+	allow $1 rpm_var_lib_t:dir list_dir_perms;
-	allow $1 rpm_var_lib_t:file r_file_perms;
+	read_files_pattern($1,rpm_var_lib_t,rpm_var_lib_t)
-	allow $1 rpm_var_lib_t:lnk_file r_file_perms;
+	read_lnk_files_pattern($1,rpm_var_lib_t,rpm_var_lib_t)
 ')
 ########################################
@ -253,9 +246,8 @@ interface(`rpm_manage_db',`
 	')
 	files_search_var_lib($1)
-	allow $1 rpm_var_lib_t:dir rw_dir_perms;
+	manage_files_pattern($1,rpm_var_lib_t,rpm_var_lib_t)
-	allow $1 rpm_var_lib_t:file manage_file_perms;
+	manage_lnk_files_pattern($1,rpm_var_lib_t,rpm_var_lib_t)
 	allow $1 rpm_var_lib_t:lnk_file create_lnk_perms;
 ')
 ########################################
@ -275,6 +267,6 @@ interface(`rpm_dontaudit_manage_db',`
 	')
 	dontaudit $1 rpm_var_lib_t:dir rw_dir_perms;
-	dontaudit $1 rpm_var_lib_t:file create_file_perms;
+	dontaudit $1 rpm_var_lib_t:file manage_file_perms;
-	dontaudit $1 rpm_var_lib_t:lnk_file create_lnk_perms;
+	dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
 ')
--- a/policy/modules/admin/rpm.te
+++ b/policy/modules/admin/rpm.te
@ -56,7 +56,7 @@ allow rpm_t self:capability { chown dac_override fowner fsetid setgid setuid sys
 allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow rpm_t self:process { getattr setexec setfscreate setrlimit };
 allow rpm_t self:fd use;
-allow rpm_t self:fifo_file rw_file_perms;
+allow rpm_t self:fifo_file rw_fifo_file_perms;
 allow rpm_t self:unix_dgram_socket create_socket_perms;
 allow rpm_t self:unix_stream_socket rw_stream_socket_perms;
 allow rpm_t self:unix_dgram_socket sendto;
@ -71,20 +71,19 @@ allow rpm_t self:msg { send receive };
 allow rpm_t self:dir search;
 allow rpm_t self:file rw_file_perms;;
-allow rpm_t rpm_tmp_t:dir create_dir_perms;
+manage_dirs_pattern(rpm_t,rpm_tmp_t,rpm_tmp_t)
-allow rpm_t rpm_tmp_t:file create_file_perms;
+manage_files_pattern(rpm_t,rpm_tmp_t,rpm_tmp_t)
 files_tmp_filetrans(rpm_t, rpm_tmp_t, { file dir })
-allow rpm_t rpm_tmpfs_t:dir create_dir_perms;
+manage_dirs_pattern(rpm_t,rpm_tmpfs_t,rpm_tmpfs_t)
-allow rpm_t rpm_tmpfs_t:file create_file_perms;
+manage_files_pattern(rpm_t,rpm_tmpfs_t,rpm_tmpfs_t)
-allow rpm_t rpm_tmpfs_t:lnk_file create_file_perms;
+manage_lnk_files_pattern(rpm_t,rpm_tmpfs_t,rpm_tmpfs_t)
-allow rpm_t rpm_tmpfs_t:sock_file create_file_perms;
+manage_fifo_files_pattern(rpm_t,rpm_tmpfs_t,rpm_tmpfs_t)
-allow rpm_t rpm_tmpfs_t:fifo_file create_file_perms;
+manage_sock_files_pattern(rpm_t,rpm_tmpfs_t,rpm_tmpfs_t)
 fs_tmpfs_filetrans(rpm_t,rpm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
 # Access /var/lib/rpm files
-allow rpm_t rpm_var_lib_t:file create_file_perms;
+manage_files_pattern(rpm_t,rpm_var_lib_t,rpm_var_lib_t)
 allow rpm_t rpm_var_lib_t:dir rw_dir_perms;
 files_var_lib_filetrans(rpm_t,rpm_var_lib_t,dir)
 kernel_read_system_state(rpm_t)
@ -184,7 +183,7 @@ ifdef(`targeted_policy',`
 	# cjp: these are here to stop type_transition
 	# conflicts since rpm_t is an alias of
 	# unconfined in the targeted policy
-	allow rpm_t rpm_log_t:file create_file_perms;
+	allow rpm_t rpm_log_t:file manage_file_perms;
 	logging_log_filetrans(rpm_t,rpm_log_t,file)
 ')
@ -230,7 +229,7 @@ allow rpm_t sysadm_gph_t:fd use;
 allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill };
 allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow rpm_script_t self:fd use;
-allow rpm_script_t self:fifo_file rw_file_perms;
+allow rpm_script_t self:fifo_file rw_fifo_file_perms;
 allow rpm_script_t self:unix_dgram_socket create_socket_perms;
 allow rpm_script_t self:unix_stream_socket rw_stream_socket_perms;
 allow rpm_script_t self:unix_dgram_socket sendto;
@ -240,25 +239,20 @@ allow rpm_script_t self:sem create_sem_perms;
 allow rpm_script_t self:msgq create_msgq_perms;
 allow rpm_script_t self:msg { send receive };
-allow rpm_script_t rpm_tmp_t:file r_file_perms;
+allow rpm_script_t rpm_tmp_t:file read_file_perms;
 allow rpm_script_t rpm_script_tmp_t:dir mounton;
-allow rpm_script_t rpm_script_tmp_t:dir create_dir_perms;
+manage_dirs_pattern(rpm_script_t,rpm_script_tmp_t,rpm_script_tmp_t)
-allow rpm_script_t rpm_script_tmp_t:file create_file_perms;
+manage_files_pattern(rpm_script_t,rpm_script_tmp_t,rpm_script_tmp_t)
 files_tmp_filetrans(rpm_script_t, rpm_script_tmp_t, { file dir })
-allow rpm_script_t rpm_script_tmpfs_t:dir create_dir_perms;
+manage_dirs_pattern(rpm_script_t,rpm_script_tmpfs_t,rpm_script_tmpfs_t)
-allow rpm_script_t rpm_script_tmpfs_t:file create_file_perms;
+manage_files_pattern(rpm_script_t,rpm_script_tmpfs_t,rpm_script_tmpfs_t)
-allow rpm_script_t rpm_script_tmpfs_t:lnk_file create_lnk_perms;
+manage_lnk_files_pattern(rpm_script_t,rpm_script_tmpfs_t,rpm_script_tmpfs_t)
-allow rpm_script_t rpm_script_tmpfs_t:sock_file create_file_perms;
+manage_fifo_files_pattern(rpm_script_t,rpm_script_tmpfs_t,rpm_script_tmpfs_t)
-allow rpm_script_t rpm_script_tmpfs_t:fifo_file create_file_perms;
+manage_sock_files_pattern(rpm_script_t,rpm_script_tmpfs_t,rpm_script_tmpfs_t)
 fs_tmpfs_filetrans(rpm_script_t,rpm_script_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
 allow rpm_t rpm_script_t:fd use;
 allow rpm_script_t rpm_t:fd use;
 allow rpm_script_t rpm_t:fifo_file rw_file_perms;
 allow rpm_script_t rpm_t:process sigchld;
 kernel_read_kernel_sysctls(rpm_script_t)
 kernel_read_system_state(rpm_script_t)
--- a/policy/modules/admin/su.if
+++ b/policy/modules/admin/su.if
@ -45,15 +45,12 @@ template(`su_restricted_domain_template', `
 	dontaudit $1_su_t self:capability sys_tty_config;
 	allow $1_su_t self:key { search write };
 	allow $1_su_t self:process { setexec setsched setrlimit };
-	allow $1_su_t self:fifo_file rw_file_perms;
+	allow $1_su_t self:fifo_file rw_fifo_file_perms;
 	allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
 	allow $1_su_t self:unix_stream_socket create_stream_socket_perms;
 	# Transition from the user domain to this domain.
-	domain_auto_trans($2, su_exec_t, $1_su_t)
+	domtrans_pattern($2, su_exec_t, $1_su_t)
 	allow $1_su_t $2:fd use;
 	allow $1_su_t $2:fifo_file rw_file_perms;
 	allow $1_su_t $2:process sigchld;
 	# By default, revert to the calling domain when a shell is executed.
 	corecmd_shell_domtrans($1_su_t,$2)
@ -178,14 +175,11 @@ template(`su_per_role_template',`
 	allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
 	dontaudit $1_su_t self:capability sys_tty_config;
 	allow $1_su_t self:process { setexec setsched setrlimit };
-	allow $1_su_t self:fifo_file rw_file_perms;
+	allow $1_su_t self:fifo_file rw_fifo_file_perms;
 	allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
 	# Transition from the user domain to this domain.
-	domain_auto_trans($2, su_exec_t, $1_su_t)
+	domtrans_pattern($2, su_exec_t, $1_su_t)
 	allow $1_su_t $2:fd use;
 	allow $1_su_t $2:fifo_file rw_file_perms;
 	allow $1_su_t $2:process sigchld;
 	# By default, revert to the calling domain when a shell is executed.
 	corecmd_shell_domtrans($1_su_t,$2)
@ -310,7 +304,7 @@ template(`su_per_role_template',`
 	')
 	ifdef(`TODO',`
-	allow $1_su_t $1_home_t:file create_file_perms;
+	allow $1_su_t $1_home_t:file manage_file_perms;
 	# Access sshd cookie files.
 	allow $1_su_t sshd_tmp_t:file rw_file_perms;
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@ -61,7 +61,7 @@ template(`sudo_per_role_template',`
 	allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 	allow $1_sudo_t self:process { setexec setrlimit };
 	allow $1_sudo_t self:fd use;
-	allow $1_sudo_t self:fifo_file rw_file_perms;
+	allow $1_sudo_t self:fifo_file rw_fifo_file_perms;
 	allow $1_sudo_t self:shm create_shm_perms;
 	allow $1_sudo_t self:sem create_sem_perms;
 	allow $1_sudo_t self:msgq create_msgq_perms;
@ -73,18 +73,13 @@ template(`sudo_per_role_template',`
 	allow $1_sudo_t self:netlink_audit_socket { create bind write nlmsg_read read };
 	# Enter this derived domain from the user domain
-	domain_auto_trans($2, sudo_exec_t, $1_sudo_t)
+	domtrans_pattern($2, sudo_exec_t, $1_sudo_t)
 	allow $1_sudo_t $2:fd use;
 	allow $2 $1_sudo_t:fd use;
 	allow $2 $1_sudo_t:fifo_file rw_file_perms;
 	allow $2 $1_sudo_t:process sigchld;
 	# By default, revert to the calling domain when a shell is executed.
 	corecmd_shell_domtrans($1_sudo_t,$2)
 	allow $2 $1_sudo_t:fd use;
-	allow $1_sudo_t $2:fd use;
+	allow $2 $1_sudo_t:fifo_file rw_file_perms;
-	allow $1_sudo_t $2:fifo_file rw_file_perms;
+	allow $2 $1_sudo_t:process sigchld;
 	allow $1_sudo_t $2:process sigchld;
 	kernel_read_kernel_sysctls($1_sudo_t)
 	kernel_read_system_state($1_sudo_t)
@ -146,8 +141,8 @@ template(`sudo_per_role_template',`
 	')
 	ifdef(`pam.te', `
-	allow $1_sudo_t pam_var_run_t:dir create_dir_perms;
+	allow $1_sudo_t pam_var_run_t:dir manage_dir_perms;
-	allow $1_sudo_t pam_var_run_t:file create_file_perms;
+	allow $1_sudo_t pam_var_run_t:file manage_file_perms;
 	')
 	') dnl end TODO
 ')
--- a/policy/modules/admin/sxid.if
+++ b/policy/modules/admin/sxid.if
@ -18,5 +18,5 @@ interface(`sxid_read_log',`
 	')
 	logging_search_logs($1)
-	allow $1 sxid_log_t:file r_file_perms;
+	allow $1 sxid_log_t:file read_file_perms;
 ')
--- a/policy/modules/admin/sxid.te
+++ b/policy/modules/admin/sxid.te
@ -25,15 +25,15 @@ files_tmp_file(sxid_tmp_t)
 allow sxid_t self:capability { dac_override dac_read_search fsetid };
 dontaudit sxid_t self:capability { setuid setgid sys_tty_config };
 allow sxid_t self:process signal_perms;
-allow sxid_t self:fifo_file rw_file_perms;
+allow sxid_t self:fifo_file rw_fifo_file_perms;
 allow sxid_t self:tcp_socket create_stream_socket_perms;
 allow sxid_t self:udp_socket create_socket_perms;
-allow sxid_t sxid_log_t:file create_file_perms;
+allow sxid_t sxid_log_t:file manage_file_perms;
 logging_log_filetrans(sxid_t,sxid_log_t,file)
-allow sxid_t sxid_tmp_t:dir create_dir_perms;
+manage_dirs_pattern(sxid_t,sxid_tmp_t,sxid_tmp_t)
-allow sxid_t sxid_tmp_t:file create_file_perms;
+manage_files_pattern(sxid_t,sxid_tmp_t,sxid_tmp_t)
 files_tmp_filetrans(sxid_t, sxid_tmp_t, { file dir })
 kernel_read_system_state(sxid_t)
--- a/policy/modules/admin/tripwire.if
+++ b/policy/modules/admin/tripwire.if
@ -28,10 +28,7 @@ interface(`tripwire_domtrans_tripwire',`
 		type tripwire_t, tripwire_exec_t;
 	')
-	domain_auto_trans($1,tripwire_exec_t,tripwire_t)
+	domtrans_pattern($1,tripwire_exec_t,tripwire_t)
 	allow tripwire_t $1:fd use;
 	allow tripwire_t $1:fifo_file rw_file_perms;
 	allow tripwire_t $1:process sigchld;
 ')
 ########################################
@ -81,10 +78,7 @@ interface(`tripwire_domtrans_twadmin',`
 		type twadmin_t, twadmin_exec_t;
 	')
-	domain_auto_trans($1,twadmin_exec_t,twadmin_t)
+	domtrans_pattern($1,twadmin_exec_t,twadmin_t)
 	allow twadmin_t $1:fd use;
 	allow twadmin_t $1:fifo_file rw_file_perms;
 	allow twadmin_t $1:process sigchld;
 ')
 ########################################
@ -134,10 +128,7 @@ interface(`tripwire_domtrans_twprint',`
 		type twprint_t, twprint_exec_t;
 	')
-	domain_auto_trans($1,twprint_exec_t,twprint_t)
+	domtrans_pattern($1,twprint_exec_t,twprint_t)
 	allow twprint_t $1:fd use;
 	allow twprint_t $1:fifo_file rw_file_perms;
 	allow twprint_t $1:process sigchld;
 ')
 ########################################
@ -187,10 +178,7 @@ interface(`tripwire_domtrans_siggen',`
 		type siggen_t, siggen_exec_t;
 	')
-	domain_auto_trans($1,siggen_exec_t,siggen_t)
+	domtrans_pattern($1,siggen_exec_t,siggen_t)
 	allow siggen_t $1:fd use;
 	allow siggen_t $1:fifo_file rw_file_perms;
 	allow siggen_t $1:process sigchld;
 ')
 ########################################
--- a/policy/modules/admin/tripwire.te
+++ b/policy/modules/admin/tripwire.te
@ -46,29 +46,24 @@ domain_entry_file(twprint_t,twprint_exec_t)
 allow tripwire_t self:capability { setgid setuid dac_override };
-allow tripwire_t tripwire_etc_t:file r_file_perms;
+allow tripwire_t tripwire_etc_t:dir list_dir_perms;
-allow tripwire_t tripwire_etc_t:dir r_dir_perms;
+read_files_pattern(tripwire_t,tripwire_etc_t,tripwire_etc_t)
-allow tripwire_t tripwire_etc_t:lnk_file { getattr read };
+read_lnk_files_pattern(tripwire_t,tripwire_etc_t,tripwire_etc_t)
 files_search_etc(tripwire_t)
 allow tripwire_t tripwire_tmp_t:dir manage_dir_perms;
 allow tripwire_t tripwire_tmp_t:file manage_file_perms;
 files_tmp_filetrans(tripwire_t, tripwire_tmp_t, { file dir })
 # Tripwire report files
-allow tripwire_t tripwire_report_t:dir manage_dir_perms;
+manage_dirs_pattern(tripwire_t,tripwire_report_t,tripwire_report_t)
-allow tripwire_t tripwire_report_t:file manage_file_perms;
+manage_files_pattern(tripwire_t,tripwire_report_t,tripwire_report_t)
-allow tripwire_t tripwire_report_t:lnk_file create_lnk_perms;
+manage_lnk_files_pattern(tripwire_t,tripwire_report_t,tripwire_report_t)
-allow tripwire_t tripwire_tmp_t:dir manage_dir_perms;
+manage_dirs_pattern(tripwire_t,tripwire_tmp_t,tripwire_tmp_t)
-allow tripwire_t tripwire_tmp_t:file manage_file_perms;
+manage_files_pattern(tripwire_t,tripwire_tmp_t,tripwire_tmp_t)
-allow tripwire_t tripwire_tmp_t:lnk_file create_lnk_perms;
+manage_lnk_files_pattern(tripwire_t,tripwire_tmp_t,tripwire_tmp_t)
-allow tripwire_t tripwire_tmp_t:sock_file manage_file_perms;
+manage_fifo_files_pattern(tripwire_t,tripwire_tmp_t,tripwire_tmp_t)
-allow tripwire_t tripwire_tmp_t:fifo_file manage_file_perms;
+manage_sock_files_pattern(tripwire_t,tripwire_tmp_t,tripwire_tmp_t)
-files_tmp_filetrans(tripwire_t,tripwire_tmp_t,{ file lnk_file sock_file fifo_file })
+files_tmp_filetrans(tripwire_t,tripwire_tmp_t,{ dir file lnk_file sock_file fifo_file })
-allow tripwire_t tripwire_var_lib_t:file manage_file_perms;
+manage_files_pattern(tripwire_t,tripwire_var_lib_t,tripwire_var_lib_t)
 allow tripwire_t tripwire_var_lib_t:dir rw_dir_perms;
 files_var_lib_filetrans(tripwire_t,tripwire_var_lib_t,file)
 kernel_read_system_state(tripwire_t)
@ -102,9 +97,9 @@ optional_policy(`
 # Twadmin local policy
 #
-allow twadmin_t tripwire_etc_t:dir manage_dir_perms;
+manage_dirs_pattern(twadmin_t,tripwire_etc_t,tripwire_etc_t)
-allow twadmin_t tripwire_etc_t:file manage_file_perms;
+manage_files_pattern(twadmin_t,tripwire_etc_t,tripwire_etc_t)
-allow twadmin_t tripwire_etc_t:lnk_file create_lnk_perms;
+manage_lnk_files_pattern(twadmin_t,tripwire_etc_t,tripwire_etc_t)
 domain_use_interactive_fds(twadmin_t)
@ -120,17 +115,17 @@ miscfiles_read_localization(twadmin_t)
 # Twprint local policy
 #
-allow twprint_t tripwire_etc_t:dir r_dir_perms;
+allow twprint_t tripwire_etc_t:dir list_dir_perms;
-allow twprint_t tripwire_etc_t:file r_file_perms;
+read_files_pattern(twprint_t,tripwire_etc_t,tripwire_etc_t)
-allow twprint_t tripwire_etc_t:lnk_file { getattr read };
+read_lnk_files_pattern(twprint_t,tripwire_etc_t,tripwire_etc_t)
-allow twprint_t tripwire_report_t:dir r_dir_perms;
+allow twprint_t tripwire_report_t:dir list_dir_perms;
-allow twprint_t tripwire_report_t:file r_file_perms;
+read_files_pattern(twprint_t,tripwire_report_t,tripwire_report_t)
-allow twprint_t tripwire_report_t:lnk_file { getattr read };
+read_lnk_files_pattern(twprint_t,tripwire_report_t,tripwire_report_t)
-allow twprint_t tripwire_var_lib_t:dir r_dir_perms;
+allow twprint_t tripwire_var_lib_t:dir list_dir_perms;
-allow twprint_t tripwire_var_lib_t:file r_file_perms;
+read_files_pattern(twprint_t,tripwire_var_lib_t,tripwire_var_lib_t)
-allow twprint_t tripwire_var_lib_t:lnk_file { getattr read };
+read_lnk_files_pattern(twprint_t,tripwire_var_lib_t,tripwire_var_lib_t)
 files_search_var_lib(twprint_t)
 domain_use_interactive_fds(twprint_t)
--- a/policy/modules/admin/updfstab.if
+++ b/policy/modules/admin/updfstab.if
@ -17,10 +17,5 @@ interface(`updfstab_domtrans',`
 	files_search_usr($1)
 	corecmd_search_sbin($1)
-	domain_auto_trans($1,updfstab_exec_t,updfstab_t)
+	domtrans_pattern($1,updfstab_exec_t,updfstab_t)
 	allow $1 updfstab_t:fd use;
 	allow updfstab_t $1:fd use;
 	allow updfstab_t $1:fifo_file rw_file_perms;
 	allow updfstab_t $1:process sigchld;
 ')
--- a/policy/modules/admin/usbmodules.if
+++ b/policy/modules/admin/usbmodules.if
@ -15,13 +15,7 @@ interface(`usbmodules_domtrans',`
 		type usbmodules_t, usbmodules_exec_t;
 	')
-	domain_auto_trans($1, usbmodules_exec_t, usbmodules_t)
+	domtrans_pattern($1, usbmodules_exec_t, usbmodules_t)
 	allow $1 usbmodules_t:fd use;
 	allow usbmodules_t $1:fd use;
 	allow usbmodules_t $1:fifo_file rw_file_perms;
 	allow usbmodules_t $1:process sigchld;
 ')
 ########################################
--- a/policy/modules/admin/usermanage.if
+++ b/policy/modules/admin/usermanage.if
@ -17,12 +17,7 @@ interface(`usermanage_domtrans_chfn',`
 	files_search_usr($1)
 	corecmd_search_bin($1)
-	domain_auto_trans($1,chfn_exec_t,chfn_t)
+	domtrans_pattern($1,chfn_exec_t,chfn_t)
 	allow $1 chfn_t:fd use;
 	allow chfn_t $1:fd use;
 	allow chfn_t $1:fifo_file rw_file_perms;
 	allow chfn_t $1:process sigchld;
 ')
 ########################################
@ -73,12 +68,7 @@ interface(`usermanage_domtrans_groupadd',`
 	files_search_usr($1)
 	corecmd_search_sbin($1)
-	domain_auto_trans($1,groupadd_exec_t,groupadd_t)
+	domtrans_pattern($1,groupadd_exec_t,groupadd_t)
 	allow $1 groupadd_t:fd use;
 	allow groupadd_t $1:fd use;
 	allow groupadd_t $1:fifo_file rw_file_perms;
 	allow groupadd_t $1:process sigchld;
 ')
 ########################################
@ -130,12 +120,7 @@ interface(`usermanage_domtrans_passwd',`
 	files_search_usr($1)
 	corecmd_search_bin($1)
-	domain_auto_trans($1,passwd_exec_t,passwd_t)
+	domtrans_pattern($1,passwd_exec_t,passwd_t)
 	allow $1 passwd_t:fd use;
 	allow passwd_t $1:fd use;
 	allow passwd_t $1:fifo_file rw_file_perms;
 	allow passwd_t $1:process sigchld;
 ')
 ########################################
@ -187,12 +172,7 @@ interface(`usermanage_domtrans_admin_passwd',`
 	files_search_usr($1)
 	corecmd_search_bin($1)
-	domain_auto_trans($1,admin_passwd_exec_t,sysadm_passwd_t)
+	domtrans_pattern($1,admin_passwd_exec_t,sysadm_passwd_t)
 	allow $1 sysadm_passwd_t:fd use;
 	allow sysadm_passwd_t $1:fd use;
 	allow sysadm_passwd_t $1:fifo_file rw_file_perms;
 	allow sysadm_passwd_t $1:process sigchld;
 ')
 ########################################
@ -245,12 +225,7 @@ interface(`usermanage_domtrans_useradd',`
 	files_search_usr($1)
 	corecmd_search_sbin($1)
-	domain_auto_trans($1,useradd_exec_t,useradd_t)
+	domtrans_pattern($1,useradd_exec_t,useradd_t)
 	allow $1 useradd_t:fd use;
 	allow useradd_t $1:fd use;
 	allow useradd_t $1:fifo_file rw_file_perms;
 	allow useradd_t $1:process sigchld;
 ')
 ########################################
@ -300,5 +275,5 @@ interface(`usermanage_read_crack_db',`
 		type crack_db_t;
 	')
-	allow $1 crack_db_t:file r_file_perms;
+	allow $1 crack_db_t:file read_file_perms;
 ')
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@ -68,8 +68,8 @@ allow chfn_t self:capability { chown dac_override fsetid setuid setgid sys_resou
 allow chfn_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
 allow chfn_t self:process { setrlimit setfscreate };
 allow chfn_t self:fd use;
-allow chfn_t self:fifo_file rw_file_perms;
+allow chfn_t self:fifo_file rw_fifo_file_perms;
-allow chfn_t self:sock_file r_file_perms;
+allow chfn_t self:sock_file read_sock_file_perms;
 allow chfn_t self:shm create_shm_perms;
 allow chfn_t self:sem create_sem_perms;
 allow chfn_t self:msgq create_msgq_perms;
@ -146,15 +146,14 @@ optional_policy(`
 #
 allow crack_t self:process { sigkill sigstop signull signal };
-allow crack_t self:fifo_file rw_file_perms;
+allow crack_t self:fifo_file rw_fifo_file_perms;
-allow crack_t crack_db_t:dir rw_dir_perms;
+manage_files_pattern(crack_t,crack_db_t,crack_db_t)
-allow crack_t crack_db_t:file create_file_perms;
+manage_lnk_files_pattern(crack_t,crack_db_t,crack_db_t)
 allow crack_t crack_db_t:lnk_file create_file_perms;
 files_search_var(crack_t)
-allow crack_t crack_tmp_t:dir create_dir_perms;
+manage_dirs_pattern(crack_t,crack_tmp_t,crack_tmp_t)
-allow crack_t crack_tmp_t:file create_file_perms;
+manage_files_pattern(crack_t,crack_tmp_t,crack_tmp_t)
 files_tmp_filetrans(crack_t, crack_tmp_t, { file dir })
 kernel_read_system_state(crack_t)
@ -193,7 +192,7 @@ dontaudit groupadd_t self:capability { fsetid sys_tty_config };
 allow groupadd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
 allow groupadd_t self:process { setrlimit setfscreate };
 allow groupadd_t self:fd use;
-allow groupadd_t self:fifo_file rw_file_perms;
+allow groupadd_t self:fifo_file rw_fifo_file_perms;
 allow groupadd_t self:shm create_shm_perms;
 allow groupadd_t self:sem create_sem_perms;
 allow groupadd_t self:msgq create_msgq_perms;
@ -274,8 +273,8 @@ allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_res
 allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow passwd_t self:process { setrlimit setfscreate };
 allow passwd_t self:fd use;
-allow passwd_t self:fifo_file rw_file_perms;
+allow passwd_t self:fifo_file rw_fifo_file_perms;
-allow passwd_t self:sock_file r_file_perms;
+allow passwd_t self:sock_file read_sock_file_perms;
 allow passwd_t self:unix_dgram_socket create_socket_perms;
 allow passwd_t self:unix_stream_socket create_stream_socket_perms;
 allow passwd_t self:unix_dgram_socket sendto;
@ -286,8 +285,8 @@ allow passwd_t self:sem create_sem_perms;
 allow passwd_t self:msgq create_msgq_perms;
 allow passwd_t self:msg { send receive };
-allow passwd_t crack_db_t:dir r_dir_perms;
+allow passwd_t crack_db_t:dir list_dir_perms;
-allow passwd_t crack_db_t:file r_file_perms;
+read_files_pattern(passwd_t,crack_db_t,crack_db_t)
 kernel_read_kernel_sysctls(passwd_t)
@ -363,8 +362,8 @@ allow sysadm_passwd_t self:capability { chown dac_override fsetid setuid setgid
 allow sysadm_passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow sysadm_passwd_t self:process { setrlimit setfscreate };
 allow sysadm_passwd_t self:fd use;
-allow sysadm_passwd_t self:fifo_file rw_file_perms;
+allow sysadm_passwd_t self:fifo_file rw_fifo_file_perms;
-allow sysadm_passwd_t self:sock_file r_file_perms;
+allow sysadm_passwd_t self:sock_file read_sock_file_perms;
 allow sysadm_passwd_t self:unix_dgram_socket create_socket_perms;
 allow sysadm_passwd_t self:unix_stream_socket create_stream_socket_perms;
 allow sysadm_passwd_t self:unix_dgram_socket sendto;
@ -375,8 +374,8 @@ allow sysadm_passwd_t self:msgq create_msgq_perms;
 allow sysadm_passwd_t self:msg { send receive };
 # allow vipw to create temporary files under /var/tmp/vi.recover
-allow sysadm_passwd_t sysadm_passwd_tmp_t:dir create_dir_perms;
+manage_dirs_pattern(sysadm_passwd_t,sysadm_passwd_tmp_t,sysadm_passwd_tmp_t)
-allow sysadm_passwd_t sysadm_passwd_tmp_t:file create_file_perms;
+manage_files_pattern(sysadm_passwd_t,sysadm_passwd_tmp_t,sysadm_passwd_tmp_t)
 files_tmp_filetrans(sysadm_passwd_t, sysadm_passwd_tmp_t, { file dir })
 files_search_var(sysadm_passwd_t)
 files_dontaudit_search_home(sysadm_passwd_t)
@ -458,7 +457,7 @@ dontaudit useradd_t self:capability sys_tty_config;
 allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow useradd_t self:process setfscreate;
 allow useradd_t self:fd use;
-allow useradd_t self:fifo_file rw_file_perms;
+allow useradd_t self:fifo_file rw_fifo_file_perms;
 allow useradd_t self:shm create_shm_perms;
 allow useradd_t self:sem create_sem_perms;
 allow useradd_t self:msgq create_msgq_perms;
--- a/policy/modules/admin/vbetool.if
+++ b/policy/modules/admin/vbetool.if
@ -16,11 +16,5 @@ interface(`vbetool_domtrans',`
 	')
 	corecmd_search_sbin($1)
-	domain_auto_trans($1,vbetool_exec_t,vbetool_t)
+	domtrans_pattern($1,vbetool_exec_t,vbetool_t)
 	allow $1 vbetool_t:fd use;
 	allow vbetool_t $1:fd use;
 	allow vbetool_t $1:fifo_file rw_file_perms;
 	allow vbetool_t $1:process sigchld;
 ')
--- a/policy/modules/admin/vpn.if
+++ b/policy/modules/admin/vpn.if
@ -15,12 +15,7 @@ interface(`vpn_domtrans',`
 		type vpnc_t, vpnc_exec_t;
 	')
-	domain_auto_trans($1,vpnc_exec_t,vpnc_t)
+	domtrans_pattern($1,vpnc_exec_t,vpnc_t)
 	allow $1 vpnc_t:fd use;
 	allow vpnc_t $1:fd use;
 	allow vpnc_t $1:fifo_file rw_file_perms;
 	allow vpnc_t $1:process sigchld;
 ')
 ########################################
--- a/policy/modules/admin/vpn.te
+++ b/policy/modules/admin/vpn.te
@ -36,12 +36,11 @@ allow vpnc_t self:unix_stream_socket create_socket_perms;
 # cjp: this needs to be fixed
 allow vpnc_t self:socket create_socket_perms;
-allow vpnc_t vpnc_tmp_t:dir create_dir_perms;
+manage_dirs_pattern(vpnc_t,vpnc_tmp_t,vpnc_tmp_t)
-allow vpnc_t vpnc_tmp_t:file create_file_perms;
+manage_files_pattern(vpnc_t,vpnc_tmp_t,vpnc_tmp_t)
 files_tmp_filetrans(vpnc_t, vpnc_tmp_t, { file dir })
-allow vpnc_t vpnc_var_run_t:file create_file_perms;
+manage_files_pattern(vpnc_t,vpnc_var_run_t,vpnc_var_run_t)
 allow vpnc_t vpnc_var_run_t:dir rw_dir_perms;
 files_pid_filetrans(vpnc_t,vpnc_var_run_t,file)
 kernel_read_system_state(vpnc_t)
--- a/policy/modules/apps/ada.if
+++ b/policy/modules/apps/ada.if
@ -17,12 +17,7 @@ interface(`ada_domtrans',`
 		')
 		corecmd_search_bin($1)
-		domain_auto_trans($1, ada_exec_t, ada_t)
+		domtrans_pattern($1, ada_exec_t, ada_t)
 		allow $1 ada_t:fd use;
 		allow ada_t $1:fd use;
 		allow ada_t $1:fifo_file rw_file_perms;
 		allow ada_t $1:process sigchld;
 	',`
 		refpolicywarn(`$0($1) has no effect in strict policy.')
 	')
--- a/policy/modules/apps/authbind.if
+++ b/policy/modules/apps/authbind.if
@ -15,9 +15,6 @@ interface(`authbind_domtrans',`
 		type authbind_t, authbind_exec_t;
 	')
-	domain_auto_trans($1,authbind_exec_t,authbind_t)
+	domtrans_pattern($1,authbind_exec_t,authbind_t)
 	allow authbind_t $1:fd use;
 	allow authbind_t $1:fifo_file rw_file_perms;
 	allow authbind_t $1:process sigchld;
 	allow authbind_t $1:{ tcp_socket udp_socket } rw_socket_perms;
 ')
--- a/policy/modules/apps/authbind.te
+++ b/policy/modules/apps/authbind.te
@ -22,10 +22,10 @@ files_config_file(authbind_etc_t)
 allow authbind_t self:capability net_bind_service;
-can_exec(authbind_t, authbind_etc_t)
+allow authbind_t authbind_etc_t:dir list_dir_perms;
-allow authbind_t authbind_etc_t:file r_file_perms;
+exec_files_pattern(authbind_t,authbind_etc_t,authbind_etc_t)
-allow authbind_t authbind_etc_t:dir r_dir_perms;
+read_lnk_files_pattern(authbind_t,authbind_etc_t,authbind_etc_t)
-allow authbind_t authbind_etc_t:lnk_file { getattr read };
+
 files_list_etc(authbind_t)
 term_use_console(authbind_t)
--- a/policy/modules/apps/calamaris.if
+++ b/policy/modules/apps/calamaris.if
@ -15,7 +15,7 @@ interface(`calamaris_read_www_files',`
 		type calamaris_www_t;
 	')
-	allow $1 calamaris_www_t:dir r_dir_perms;
+	allow $1 calamaris_www_t:dir list_dir_perms;
-	allow $1 calamaris_www_t:file r_file_perms;
+	read_files_pattern($1,calamaris_www_t,calamaris_www_t)
-	allow $1 calamaris_www_t:lnk_file { getattr read };
+	read_lnk_files_pattern($1,calamaris_www_t,calamaris_www_t)
 ')
--- a/policy/modules/apps/calamaris.te
+++ b/policy/modules/apps/calamaris.te
@ -29,12 +29,10 @@ allow calamaris_t self:unix_stream_socket create_stream_socket_perms;
 allow calamaris_t self:tcp_socket create_stream_socket_perms;
 allow calamaris_t self:udp_socket create_socket_perms;
-allow calamaris_t calamaris_www_t:dir rw_dir_perms;
+manage_files_pattern(calamaris_t,calamaris_www_t,calamaris_www_t)
-allow calamaris_t calamaris_www_t:file manage_file_perms;
+manage_lnk_files_pattern(calamaris_t,calamaris_www_t,calamaris_www_t)
 allow calamaris_t calamaris_www_t:lnk_file create_lnk_perms;
-allow calamaris_t calamaris_log_t:file create_file_perms;
+manage_files_pattern(calamaris_t,calamaris_log_t,calamaris_log_t)
 allow calamaris_t calamaris_log_t:dir rw_dir_perms;
 logging_log_filetrans(calamaris_t,calamaris_log_t,{ file dir })
 kernel_read_all_sysctls(calamaris_t)
--- a/policy/modules/apps/cdrecord.if
+++ b/policy/modules/apps/cdrecord.if
@ -61,17 +61,11 @@ template(`cdrecord_per_role_template', `
 	allow $1_cdrecord_t $2:unix_stream_socket { getattr read write ioctl };
 	# allow ps to show cdrecord and allow the user to kill it 
-	allow $2 $1_cdrecord_t:dir { search getattr read };
+	ps_process_pattern($2,$1_cdrecord_t)
 	allow $2 $1_cdrecord_t:{ file lnk_file } { read getattr };
 	allow $2 $1_cdrecord_t:process getattr;
 	allow $2 $1_cdrecord_t:process signal;
 	# Transition from the user domain to the derived domain.
-	domain_auto_trans($2, cdrecord_exec_t, $1_cdrecord_t)
+	domtrans_pattern($2,cdrecord_exec_t,$1_cdrecord_t)
 	allow $2 $1_cdrecord_t:fd use;
 	allow $1_cdrecord_t $2:fd use;
 	allow $1_cdrecord_t $2:fifo_file rw_file_perms;
 	allow $1_cdrecord_t $2:process sigchld;
 	# allow searching for cdrom-drive
 	dev_list_all_dev_nodes($1_cdrecord_t) 
--- a/policy/modules/apps/ethereal.if
+++ b/policy/modules/apps/ethereal.if
@ -70,36 +70,38 @@ template(`ethereal_per_role_template',`
 	allow $1_ethereal_t self:tcp_socket create_socket_perms;
 	allow $1_ethereal_t self:udp_socket create_socket_perms;
 	# Store temporary files
 	allow $1_ethereal_t $1_ethereal_tmp_t:dir create_dir_perms;
 	allow $1_ethereal_t $1_ethereal_tmp_t:file create_file_perms;
 	files_tmp_filetrans($1_ethereal_t, $1_ethereal_tmp_t, { dir file })
 	# Re-execute itself (why?)
 	can_exec($1_ethereal_t, ethereal_exec_t)
 	corecmd_search_sbin($1_ethereal_t)
 	# /home/.ethereal
-	allow $1_ethereal_t $1_ethereal_home_t:dir manage_dir_perms;
+	manage_dirs_pattern($1_ethereal_t,$1_ethereal_home_t,$1_ethereal_home_t)
-	allow $1_ethereal_t $1_ethereal_home_t:file manage_file_perms;
+	manage_files_pattern($1_ethereal_t,$1_ethereal_home_t,$1_ethereal_home_t)
-	allow $1_ethereal_t $1_ethereal_home_t:lnk_file create_lnk_perms;
+	manage_lnk_files_pattern($1_ethereal_t,$1_ethereal_home_t,$1_ethereal_home_t)
 	userdom_user_home_dir_filetrans($1,$1_ethereal_t,$1_ethereal_home_t,dir)
-	allow $1_ethereal_t $1_ethereal_tmpfs_t:dir manage_dir_perms;
+	# Store temporary files
-	allow $1_ethereal_t $1_ethereal_tmpfs_t:file manage_file_perms;
+	manage_dirs_pattern($1_ethereal_t,$1_ethereal_tmp_t,$1_ethereal_tmp_t)
-	allow $1_ethereal_t $1_ethereal_tmpfs_t:lnk_file create_lnk_perms;
+	manage_files_pattern($1_ethereal_t,$1_ethereal_tmp_t,$1_ethereal_tmp_t)
-	allow $1_ethereal_t $1_ethereal_tmpfs_t:sock_file manage_file_perms;
+	files_tmp_filetrans($1_ethereal_t, $1_ethereal_tmp_t, { dir file })
-	allow $1_ethereal_t $1_ethereal_tmpfs_t:fifo_file manage_file_perms;
+
 	manage_dirs_pattern($1_ethereal_t,$1_ethereal_tmpfs_t,$1_ethereal_tmpfs_t)
 	manage_files_pattern($1_ethereal_t,$1_ethereal_tmpfs_t,$1_ethereal_tmpfs_t)
 	manage_lnk_files_pattern($1_ethereal_t,$1_ethereal_tmpfs_t,$1_ethereal_tmpfs_t)
 	manage_sock_files_pattern($1_ethereal_t,$1_ethereal_tmpfs_t,$1_ethereal_tmpfs_t)
 	manage_fifo_files_pattern($1_ethereal_t,$1_ethereal_tmpfs_t,$1_ethereal_tmpfs_t)
 	fs_tmpfs_filetrans($1_ethereal_t,$1_ethereal_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
 	domain_auto_trans($2, ethereal_exec_t, $1_ethereal_t)
 	allow $1_ethereal_t $2:fd use;
 	allow $1_ethereal_t $2:process sigchld;
-	allow $2 $1_ethereal_home_t:dir manage_dir_perms;
+	manage_dirs_pattern($2,$1_ethereal_home_t,$1_ethereal_home_t)
-	allow $2 $1_ethereal_home_t:file manage_file_perms;
+	manage_files_pattern($2,$1_ethereal_home_t,$1_ethereal_home_t)
-	allow $2 $1_ethereal_home_t:lnk_file create_lnk_perms;
+	manage_lnk_files_pattern($2,$1_ethereal_home_t,$1_ethereal_home_t)
-	allow $2 $1_ethereal_home_t:{ dir file lnk_file } { relabelfrom relabelto };
+	relabel_dirs_pattern($2,$1_ethereal_home_t,$1_ethereal_home_t)
 	relabel_files_pattern($2,$1_ethereal_home_t,$1_ethereal_home_t)
 	relabel_lnk_files_pattern($2,$1_ethereal_home_t,$1_ethereal_home_t)
 	kernel_read_kernel_sysctls($1_ethereal_t)
 	kernel_read_system_state($1_ethereal_t)
@ -240,12 +242,7 @@ template(`ethereal_domtrans_user_ethereal',`
 		type $1_ethereal_t, ethereal_exec_t;
 	')
-	domain_auto_trans($2,ethereal_exec_t,$1_ethereal_t)
+	domtrans_pattern($2,ethereal_exec_t,$1_ethereal_t)
 	allow $2 $1_ethereal_t:fd use;
 	allow $1_ethereal_t $2:fd use;
 	allow $1_ethereal_t $2:fifo_file rw_file_perms;
 	allow $1_ethereal_t $2:process sigchld;
 ')
 ########################################
@ -263,12 +260,7 @@ template(`ethereal_domtrans_tethereal',`
 		type tethereal_t, tethereal_exec_t;
 	')
-	domain_auto_trans($1,tethereal_exec_t,tethereal_t)
+	domtrans_pattern($1,tethereal_exec_t,tethereal_t)
 	allow $1 tethereal_t:fd use;
 	allow tethereal_t $1:fd use;
 	allow tethereal_t $1:fifo_file rw_file_perms;
 	allow tethereal_t $1:process sigchld;
 ')
 ########################################
--- a/policy/modules/apps/ethereal.te
+++ b/policy/modules/apps/ethereal.te
@ -30,8 +30,8 @@ allow tethereal_t self:tcp_socket create_socket_perms;
 allow tethereal_t self:udp_socket create_socket_perms;
 # Store temporary files
-allow tethereal_t tethereal_tmp_t:dir create_dir_perms;
+manage_dirs_pattern(tethereal_t,tethereal_tmp_t,tethereal_tmp_t)
-allow tethereal_t tethereal_tmp_t:file create_file_perms;
+manage_files_pattern(tethereal_t,tethereal_tmp_t,tethereal_tmp_t)
 files_tmp_filetrans(tethereal_t, tethereal_tmp_t, { dir file })
 # /proc
--- a/policy/modules/apps/evolution.if
+++ b/policy/modules/apps/evolution.if
@ -442,7 +442,7 @@ template(`evolution_per_role_template',`
 		# Put secret files in .gnome2_private
 		allow $1_evolution_t $1_gnome_secret_t:dir rw_dir_perms;
-		allow $1_evolution_t $1_evolutioin_secret_t:file create_file_perms;
+		allow $1_evolution_t $1_evolutioin_secret_t:file manage_file_perms;
 		type_transition $1_evolution_t $1_gnome_secret_t:file $1_evolutioin_secret_t;
 		allow $2 $1_evolution_secret_t:file unlink;
@ -535,16 +535,16 @@ template(`evolution_per_role_template',`
 	allow $1_evolution_exchange_t $1_evolution_alarm_orbit_tmp_t:sock_file write;
 	# Access evolution home
-	allow $1_evolution_exchange_t $1_evolution_home_t:dir create_dir_perms;
+	allow $1_evolution_exchange_t $1_evolution_home_t:dir manage_dir_perms;
-	allow $1_evolution_exchange_t $1_evolution_home_t:file create_file_perms;
+	allow $1_evolution_exchange_t $1_evolution_home_t:file manage_file_perms;
 	allow $1_evolution_exchange_t $1_evolution_home_t:lnk_file create_lnk_perms;
 	allow $1_evolution_exchange_t $1_evolution_server_t:unix_stream_socket connectto;
 	allow $1_evolution_exchange_t $1_evolution_server_orbit_tmp_t:sock_file write;
 	# /tmp/.exchange-$USER
-	allow $1_evolution_exchange_t $1_evolution_exchange_tmp_t:dir create_dir_perms;
+	allow $1_evolution_exchange_t $1_evolution_exchange_tmp_t:dir manage_dir_perms;
-	allow $1_evolution_exchange_t $1_evolution_exchange_tmp_t:file create_file_perms;
+	allow $1_evolution_exchange_t $1_evolution_exchange_tmp_t:file manage_file_perms;
 	files_tmp_filetrans($1_evolution_exchange_t, $1_evolution_exchange_tmp_t, { file dir })
 	allow $1_evolution_exchange_t $1_evolution_exchange_tmpfs_t:dir rw_dir_perms;
@ -619,8 +619,8 @@ template(`evolution_per_role_template',`
 	allow $1_evolution_server_t $1_evolution_exchange_orbit_tmp_t:sock_file write;
 	# Access evolution home
-	allow $1_evolution_server_t $1_evolution_home_t:dir create_dir_perms;
+	allow $1_evolution_server_t $1_evolution_home_t:dir manage_dir_perms;
-	allow $1_evolution_server_t $1_evolution_home_t:file create_file_perms;
+	allow $1_evolution_server_t $1_evolution_home_t:file manage_file_perms;
 	allow $1_evolution_server_t $1_evolution_home_t:lnk_file create_lnk_perms;
 	allow $1_evolution_server_t $1_evolution_alarm_t:unix_stream_socket connectto;
--- a/policy/modules/apps/games.if
+++ b/policy/modules/apps/games.if
@ -62,23 +62,21 @@ template(`games_per_role_template',`
 	allow $1_games_t self:tcp_socket create_stream_socket_perms;
 	allow $1_games_t self:udp_socket create_socket_perms;
-	allow $1_games_t $1_games_tmpfs_t:dir rw_dir_perms;
+	manage_files_pattern($1_games_t,games_data_t,games_data_t)
-	allow $1_games_t $1_games_tmpfs_t:file manage_file_perms;
+	manage_lnk_files_pattern($1_games_t,games_data_t,games_data_t)
 	allow $1_games_t $1_games_tmpfs_t:lnk_file create_lnk_perms;
 	allow $1_games_t $1_games_tmpfs_t:sock_file manage_file_perms;
 	allow $1_games_t $1_games_tmpfs_t:fifo_file manage_file_perms;
 	fs_tmpfs_filetrans($1_games_t,$1_games_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
-	allow $1_games_t $1_games_tmp_t:dir manage_dir_perms;
+	allow $1_games_t $1_games_devpts_t:chr_file { rw_chr_file_perms setattr };
 	allow $1_games_t $1_games_tmp_t:file manage_file_perms;
 	files_tmp_filetrans($1_games_t, $1_games_tmp_t, { file dir })
 	allow $1_games_t $1_games_devpts_t:chr_file { rw_file_perms setattr };
 	term_create_pty($1_games_t,$1_games_devpts_t)
-	allow $1_games_t games_data_t:dir rw_dir_perms;
+	manage_dirs_pattern($1_games_t,$1_games_tmp_t,$1_games_tmp_t)
-	allow $1_games_t games_data_t:file manage_file_perms;
+	manage_files_pattern($1_games_t,$1_games_tmp_t,$1_games_tmp_t)
-	allow $1_games_t games_data_t:lnk_file create_lnk_perms;
+	files_tmp_filetrans($1_games_t, $1_games_tmp_t, { file dir })
 	manage_files_pattern($1_games_t,$1_games_tmpfs_t,$1_games_tmpfs_t)
 	manage_lnk_files_pattern($1_games_t,$1_games_tmpfs_t,$1_games_tmpfs_t)
 	manage_fifo_files_pattern($1_games_t,$1_games_tmpfs_t,$1_games_tmpfs_t)
 	manage_sock_files_pattern($1_games_t,$1_games_tmpfs_t,$1_games_tmpfs_t)
 	fs_tmpfs_filetrans($1_games_t,$1_games_tmpfs_t,{ file lnk_file sock_file fifo_file })
 	can_exec($1_games_t, games_exec_t)
@ -159,8 +157,8 @@ template(`games_per_role_template',`
 		gnome_file_dialog($1_games, $1)
 		# Access /home/user/.gnome2
 		# FIXME: Change to use per app types
-		allow $1_games_t $1_gnome_settings_t:dir create_dir_perms;
+		allow $1_games_t $1_gnome_settings_t:dir manage_dir_perms;
-		allow $1_games_t $1_gnome_settings_t:file create_file_perms;
+		allow $1_games_t $1_gnome_settings_t:file manage_file_perms;
 		allow $1_games_t $1_gnome_settings_t:lnk_file create_lnk_perms;
 		#missing policy
 		optional_policy(`
--- a/policy/modules/apps/games.te
+++ b/policy/modules/apps/games.te
@ -26,12 +26,10 @@ files_pid_file(games_var_run_t)
 dontaudit games_t self:capability sys_tty_config;
 allow games_t self:process signal_perms;
-allow games_t games_data_t:dir rw_dir_perms;
+manage_files_pattern(games_t,games_data_t,games_data_t)
-allow games_t games_data_t:file manage_file_perms;
+manage_lnk_files_pattern(games_t,games_data_t,games_data_t)
 allow games_t games_data_t:lnk_file create_lnk_perms;
-allow games_t games_var_run_t:file manage_file_perms;
+manage_files_pattern(games_t,games_var_run_t,games_var_run_t)
 allow games_t games_var_run_t:dir rw_dir_perms;
 files_pid_filetrans(games_t,games_var_run_t,file)
 can_exec(games_t,games_exec_t)
--- a/policy/modules/apps/gift.if
+++ b/policy/modules/apps/gift.if
@ -63,40 +63,34 @@ template(`gift_per_role_template',`
 	allow $1_gift_t self:tcp_socket create_socket_perms;
-	allow $1_gift_t $1_gift_tmpfs_t:dir rw_dir_perms;
+	manage_files_pattern($1_gift_t,$1_gift_tmpfs_t,$1_gift_tmpfs_t)
-	allow $1_gift_t $1_gift_tmpfs_t:file manage_file_perms;
+	manage_lnk_files_pattern($1_gift_t,$1_gift_tmpfs_t,$1_gift_tmpfs_t)
-	allow $1_gift_t $1_gift_tmpfs_t:lnk_file create_lnk_perms;
+	manage_fifo_files_pattern($1_gift_t,$1_gift_tmpfs_t,$1_gift_tmpfs_t)
-	allow $1_gift_t $1_gift_tmpfs_t:sock_file manage_file_perms;
+	manage_sock_files_pattern($1_gift_t,$1_gift_tmpfs_t,$1_gift_tmpfs_t)
 	allow $1_gift_t $1_gift_tmpfs_t:fifo_file manage_file_perms;
 	fs_tmpfs_filetrans($1_gift_t,$1_gift_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
-	allow $1_gift_t $1_gift_home_t:dir manage_dir_perms;
+	manage_dirs_pattern($1_gift_t,$1_gift_home_t,$1_gift_home_t)
-	allow $1_gift_t $1_gift_home_t:file manage_file_perms;
+	manage_files_pattern($1_gift_t,$1_gift_home_t,$1_gift_home_t)
-	allow $1_gift_t $1_gift_home_t:lnk_file create_lnk_perms;
+	manage_lnk_files_pattern($1_gift_t,$1_gift_home_t,$1_gift_home_t)
 	userdom_user_home_dir_filetrans($1,$1_gift_t,$1_gift_home_t,dir)
 	# Launch gift daemon
-	domain_auto_trans($1_gift_t, giftd_exec_t, $1_giftd_t)
+	domtrans_pattern($1_gift_t, giftd_exec_t, $1_giftd_t)
 	allow $1_giftd_t $1_gift_t:fd use;
 	allow $1_giftd_t $1_gift_t:fifo_file rw_file_perms;
 	allow $1_giftd_t $1_gift_t:process sigchld;
 	# transition from user domain
-	domain_auto_trans($2, gift_exec_t, $1_gift_t)
+	domtrans_pattern($2, gift_exec_t, $1_gift_t)
 	allow $1_gift_t $2:fd use;
 	allow $1_gift_t $2:fifo_file rw_file_perms;
 	allow $1_gift_t $2:process sigchld;
 	# user managed content
-	allow $2 $1_gift_home_t:dir manage_dir_perms;
+	manage_dirs_pattern($2,$1_gift_home_t,$1_gift_home_t)
-	allow $2 $1_gift_home_t:file manage_file_perms;
+	manage_files_pattern($2,$1_gift_home_t,$1_gift_home_t)
-	allow $2 $1_gift_home_t:lnk_file create_lnk_perms;
+	manage_lnk_files_pattern($2,$1_gift_home_t,$1_gift_home_t)
-	allow $2 $1_gift_home_t:{ dir file lnk_file } { relabelfrom relabelto };
+	relabel_dirs_pattern($2,$1_gift_home_t,$1_gift_home_t)
 	relabel_files_pattern($2,$1_gift_home_t,$1_gift_home_t)
 	relabel_lnk_files_pattern($2,$1_gift_home_t,$1_gift_home_t)
 	# Allow the user domain to signal/ps.
-	allow $2 $1_gift_t:dir { search getattr read };
+	ps_process_pattern($2,$1_gift_t)
-	allow $2 $1_gift_t:{ file lnk_file } { read getattr };
+	allow $2 $1_gift_t:process signal_perms;
 	allow $2 $1_gift_t:process { getattr signal_perms };
 	# Read /proc/meminfo
 	kernel_read_system_state($1_giftd_t)
@ -150,15 +144,12 @@ template(`gift_per_role_template',`
 	allow $1_giftd_t self:tcp_socket create_stream_socket_perms;
 	allow $1_giftd_t self:udp_socket create_socket_perms;
-	allow $1_giftd_t $1_gift_home_t:dir manage_dir_perms;
+	manage_dirs_pattern($1_giftd_t,$1_gift_home_t,$1_gift_home_t)
-	allow $1_giftd_t $1_gift_home_t:file manage_file_perms;
+	manage_files_pattern($1_giftd_t,$1_gift_home_t,$1_gift_home_t)
-	allow $1_giftd_t $1_gift_home_t:lnk_file create_lnk_perms;
+	manage_lnk_files_pattern($1_giftd_t,$1_gift_home_t,$1_gift_home_t)
 	userdom_user_home_dir_filetrans($1,$1_giftd_t,$1_gift_home_t,dir)
-	domain_auto_trans($2, giftd_exec_t, $1_giftd_t)
+	domtrans_pattern($2, giftd_exec_t, $1_giftd_t)
 	allow $1_giftd_t $2:fd use;
 	allow $1_giftd_t $2:fifo_file rw_file_perms;
 	allow $1_giftd_t $2:process sigchld;
 	kernel_read_system_state($1_giftd_t)
 	kernel_read_kernel_sysctls($1_giftd_t)
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
@ -59,12 +59,12 @@ template(`gnome_per_role_template',`
 	allow $1_gconfd_t self:process getsched;
-	allow $1_gconfd_t $1_gconf_home_t:dir manage_dir_perms;
+	manage_dirs_pattern($1_gconfd_t,$1_gconf_home_t,$1_gconf_home_t)
-	allow $1_gconfd_t $1_gconf_home_t:file manage_file_perms;
+	manage_files_pattern($1_gconfd_t,$1_gconf_home_t,$1_gconf_home_t)
 	userdom_user_home_dir_filetrans($1, $1_gconfd_t, $1_gconf_home_t, dir)
-	allow $1_gconfd_t $1_gconf_tmp_t:dir manage_dir_perms;
+	manage_dirs_pattern($1_gconfd_t,$1_gconf_tmp_t,$1_gconf_tmp_t)
-	allow $1_gconfd_t $1_gconf_tmp_t:file manage_file_perms;
+	manage_files_pattern($1_gconfd_t,$1_gconf_tmp_t,$1_gconf_tmp_t)
 	userdom_user_tmp_filetrans($1,$1_gconfd_t,$1_gconf_tmp_t,{ dir file })
 	domain_auto_trans($2, gconfd_exec_t, $1_gconfd_t)
@ -73,7 +73,7 @@ template(`gnome_per_role_template',`
 	allow $1_gconfd_t $2:unix_stream_socket connectto;
 	allow $1_gconfd_t gconf_etc_t:dir list_dir_perms;
-	allow $1_gconfd_t gconf_etc_t:file read_file_perms;
+	read_files_pattern($1_gconfd_t,gconf_etc_t,gconf_etc_t)
 	dev_read_urand($1_gconfd_t)
@ -125,5 +125,5 @@ template(`gnome_stream_connect_gconf_template',`
 	')
 	allow $2 $1_gconfd_t:unix_stream_socket connectto;
-	allow $2 $1_gconf_tmp_t:file r_file_perms;
+	allow $2 $1_gconf_tmp_t:file read_file_perms;
 ')
--- a/policy/modules/apps/gpg.if
+++ b/policy/modules/apps/gpg.if
@ -81,23 +81,20 @@ template(`gpg_per_role_template',`
 	# setrlimit is for ulimit -c 0
 	allow $1_gpg_t self:process { setrlimit setcap setpgid };
-	allow $1_gpg_t self:fifo_file rw_file_perms;
+	allow $1_gpg_t self:fifo_file rw_fifo_file_perms;
 	allow $1_gpg_t self:tcp_socket create_stream_socket_perms;
-	allow $1_gpg_t $1_gpg_secret_t:dir rw_dir_perms;
+	# transition from the gpg domain to the helper domain
-	allow $1_gpg_t $1_gpg_secret_t:file create_file_perms;
+	domtrans_pattern($1_gpg_t,gpg_helper_exec_t,$1_gpg_helper_t)
-	allow $1_gpg_t $1_gpg_secret_t:lnk_file create_lnk_perms;
+
 	manage_files_pattern($1_gpg_t,$1_gpg_secret_t,$1_gpg_secret_t)
 	manage_lnk_files_pattern($1_gpg_t,$1_gpg_secret_t,$1_gpg_secret_t)
 	# transition from the userdomain to the derived domain
-	domain_auto_trans($2,gpg_exec_t,$1_gpg_t)
+	domtrans_pattern($2,gpg_exec_t,$1_gpg_t)
 	allow $1_gpg_t $2:fd use;
 	allow $1_gpg_t $2:fifo_file rw_file_perms;
 	allow $1_gpg_t $2:process sigchld;
 	# allow ps to show gpg
-	allow $2 $1_gpg_t:dir { search getattr read };
+	ps_process_pattern($2,$1_gpg_t)
 	allow $2 $1_gpg_t:{ file lnk_file } { read getattr };
 	allow $2 $1_gpg_t:process getattr;
 	corenet_non_ipsec_sendrecv($1_gpg_t)
 	corenet_tcp_sendrecv_all_if($1_gpg_t)
@ -152,21 +149,14 @@ template(`gpg_per_role_template',`
 	# Note: this is only tested with the hkp interface. If you use eg the 
 	# mail interface you will likely need additional permissions.
 	allow $1_gpg_helper_t self:unix_stream_socket create_stream_socket_perms;
 	allow $1_gpg_helper_t self:tcp_socket { connect connected_socket_perms };
 	allow $1_gpg_helper_t self:udp_socket { connect connected_socket_perms };
 	# communicate with the user 
 	allow $1_gpg_helper_t $2:fd use;
 	allow $1_gpg_helper_t $2:fifo_file write;
 	# transition from the gpg domain to the helper domain
 	domain_auto_trans($1_gpg_t,gpg_helper_exec_t,$1_gpg_helper_t)
 	allow $1_gpg_helper_t $1_gpg_t:fd use;
 	allow $1_gpg_helper_t $1_gpg_t:fifo_file rw_file_perms;
 	allow $1_gpg_helper_t $1_gpg_t:process sigchld;
 	allow $1_gpg_helper_t self:unix_stream_socket create_stream_socket_perms;
 	allow $1_gpg_helper_t self:tcp_socket { connect connected_socket_perms };
 	allow $1_gpg_helper_t self:udp_socket { connect connected_socket_perms };
 	dontaudit $1_gpg_helper_t $1_gpg_secret_t:file read;
 	corenet_tcp_sendrecv_all_if($1_gpg_helper_t)
@ -215,36 +205,29 @@ template(`gpg_per_role_template',`
 	allow $1_gpg_agent_t self:process setrlimit;
 	allow $1_gpg_agent_t self:unix_stream_socket create_stream_socket_perms ;
-	allow $1_gpg_agent_t self:fifo_file rw_file_perms;
+	allow $1_gpg_agent_t self:fifo_file rw_fifo_file_perms;
 	# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
-	allow $1_gpg_agent_t $1_gpg_secret_t:dir create_dir_perms;
+	manage_dirs_pattern($1_gpg_agent_t,$1_gpg_secret_t,$1_gpg_secret_t)
-	allow $1_gpg_agent_t $1_gpg_secret_t:file create_file_perms;
+	manage_files_pattern($1_gpg_agent_t,$1_gpg_secret_t,$1_gpg_secret_t)
-	allow $1_gpg_agent_t $1_gpg_secret_t:lnk_file create_lnk_perms;
+	manage_lnk_files_pattern($1_gpg_agent_t,$1_gpg_secret_t,$1_gpg_secret_t)
 	# allow gpg to connect to the gpg agent
-	allow $1_gpg_t $1_gpg_agent_tmp_t:dir search;
+	stream_connect_pattern($1_gpg_t,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t,$1_gpg_agent_t)
 	allow $1_gpg_t $1_gpg_agent_tmp_t:sock_file write;
 	allow $1_gpg_t $1_gpg_agent_t:unix_stream_socket connectto;
 	# allow ps to show gpg-agent
-	allow $2 $1_gpg_agent_t:dir { search getattr read };
+	ps_process_pattern($2,$1_gpg_agent_t)
 	allow $2 $1_gpg_agent_t:{ file lnk_file } { read getattr };
 	allow $2 $1_gpg_agent_t:process getattr;
 	# Allow the user shell to signal the gpg-agent program.
 	allow $2 $1_gpg_agent_t:process { signal sigkill };
-	allow $2 $1_gpg_agent_tmp_t:dir create_dir_perms;
+	manage_dirs_pattern($2,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
-	allow $2 $1_gpg_agent_tmp_t:file create_file_perms;
+	manage_files_pattern($2,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
-	allow $2 $1_gpg_agent_tmp_t:sock_file create_file_perms;
+	manage_sock_files_pattern($2,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
 	files_tmp_filetrans($1_gpg_agent_t, $1_gpg_agent_tmp_t, { file sock_file dir })
 	# Transition from the user domain to the derived domain.
-	domain_auto_trans($2, gpg_agent_exec_t, $1_gpg_agent_t)
+	domtrans_pattern($2, gpg_agent_exec_t, $1_gpg_agent_t)
 	allow $1_gpg_agent_t $2:fd use;
 	allow $1_gpg_agent_t $2:fifo_file rw_file_perms;
 	allow $1_gpg_agent_t $2:process sigchld;
 	corecmd_search_bin($1_gpg_agent_t)
@ -277,15 +260,12 @@ template(`gpg_per_role_template',`
 	# Pinentry local policy
 	#
 	allow $1_gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write };
 	allow $1_gpg_pinentry_t self:fifo_file rw_fifo_file_perms;
 	# we need to allow gpg-agent to call pinentry so it can get the passphrase 
 	# from the user.
-	domain_auto_trans($1_gpg_agent_t,pinentry_exec_t,$1_gpg_pinentry_t)
+	domtrans_pattern($1_gpg_agent_t,pinentry_exec_t,$1_gpg_pinentry_t)
 	allow $1_gpg_agent_t $1_gpg_pinentry_t:fd use;
 	allow $1_gpg_agent_t $1_gpg_pinentry_t:fifo_file rw_file_perms;
 	allow $1_gpg_agent_t $1_gpg_pinentry_t:process sigchld;
 	allow $1_gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write };
 	allow $1_gpg_pinentry_t self:fifo_file rw_file_perms;
 	# read /proc/meminfo
 	kernel_read_system_state($1_gpg_pinentry_t)
@ -366,11 +346,7 @@ template(`gpg_domtrans_user_gpg',`
 		type $1_gpg_t, gpg_exec_t;
 	')
-	domain_auto_trans($2, gpg_exec_t, $1_gpg_t)
+	domtrans_pattern($2, gpg_exec_t, $1_gpg_t)
 	allow $2 $1_gpg_t:fd use;
 	allow $1_gpg_t $2:fd use;
 	allow $1_gpg_t $2:fifo_file rw_file_perms;
 	allow $1_gpg_t $2:process sigchld;
 ')
 ########################################
--- a/policy/modules/apps/irc.if
+++ b/policy/modules/apps/irc.if
@ -62,40 +62,31 @@ template(`irc_per_role_template',`
 	# Local policy
 	#
 	allow $1_irc_t self:dir search;
 	allow $1_irc_t self:lnk_file read;
 	allow $1_irc_t self:unix_stream_socket create_stream_socket_perms;
 	allow $1_irc_t self:tcp_socket create_socket_perms;
 	allow $1_irc_t self:udp_socket create_socket_perms;
-	allow $1_irc_t $1_irc_home_t:dir create_dir_perms;
+	manage_dirs_pattern($1_irc_t,$1_irc_home_t,$1_irc_home_t)
-	allow $1_irc_t $1_irc_home_t:file create_file_perms;
+	manage_files_pattern($1_irc_t,$1_irc_home_t,$1_irc_home_t)
-	allow $1_irc_t $1_irc_home_t:lnk_file create_lnk_perms;
+	manage_lnk_files_pattern($1_irc_t,$1_irc_home_t,$1_irc_home_t)
 	userdom_user_home_dir_filetrans($1,$1_irc_t,$1_irc_home_t,{ dir file lnk_file })
 	# access files under /tmp
-	allow $1_irc_t $1_irc_tmp_t:dir create_dir_perms;
+	manage_dirs_pattern($1_irc_t,$1_irc_tmp_t,$1_irc_tmp_t)
-	allow $1_irc_t $1_irc_tmp_t:file create_file_perms;
+	manage_files_pattern($1_irc_t,$1_irc_tmp_t,$1_irc_tmp_t)
-	allow $1_irc_t $1_irc_tmp_t:lnk_file create_lnk_perms;
+	manage_lnk_files_pattern($1_irc_t,$1_irc_tmp_t,$1_irc_tmp_t)
-	allow $1_irc_t $1_irc_tmp_t:sock_file create_file_perms;
+	manage_fifo_files_pattern($1_irc_t,$1_irc_tmp_t,$1_irc_tmp_t)
-	allow $1_irc_t $1_irc_tmp_t:fifo_file create_file_perms;
+	manage_sock_files_pattern($1_irc_t,$1_irc_tmp_t,$1_irc_tmp_t)
 	files_tmp_filetrans($1_irc_t,$1_irc_tmp_t,{ file dir lnk_file sock_file fifo_file })
 	# Transition from the user domain to the derived domain.
-	domain_auto_trans($2,irc_exec_t,$1_irc_t)
+	domtrans_pattern($2,irc_exec_t,$1_irc_t)
 	allow $2 $1_irc_t:fd use;
 	allow $1_irc_t $2:fd use;
 	allow $1_irc_t $2:fifo_file rw_file_perms;
 	allow $1_irc_t $2:process sigchld;
-	allow $2 $1_irc_t:process signal;
+	allow $2 $1_irc_exec_t:file { relabelfrom relabelto manage_file_perms };
 	allow $2 $1_irc_exec_t:file { relabelfrom relabelto create_file_perms };
 	# allow ps to show irc
-	allow $2 $1_irc_t:dir { search getattr read };
+	ps_process_pattern($2,$1_irc_t)
-	allow $2 $1_irc_t:{ file lnk_file } { read getattr };
+	allow $2 $1_irc_t:process signal;
 	allow $2 $1_irc_t:process getattr;
 	kernel_read_proc_symlinks($1_irc_t)
--- a/policy/modules/apps/java.if
+++ b/policy/modules/apps/java.if
@ -59,7 +59,7 @@ template(`java_per_role_template',`
 	#
 	allow $1_javaplugin_t self:process { signal_perms getsched setsched execmem };
-	allow $1_javaplugin_t self:fifo_file rw_file_perms;
+	allow $1_javaplugin_t self:fifo_file rw_fifo_file_perms;
 	allow $1_javaplugin_t self:tcp_socket create_socket_perms;
 	allow $1_javaplugin_t self:udp_socket create_socket_perms;
@ -67,21 +67,18 @@ template(`java_per_role_template',`
 	allow $1_javaplugin_t $2:unix_stream_socket { read write };
 	userdom_write_user_tmp_sockets($1,$1_javaplugin_t)
-	allow $1_javaplugin_t $1_javaplugin_tmp_t:dir create_dir_perms;
+	manage_dirs_pattern($1_javaplugin_t,$1_javaplugin_tmp_t,$1_javaplugin_tmp_t)
-	allow $1_javaplugin_t $1_javaplugin_tmp_t:file create_file_perms;
+	manage_files_pattern($1_javaplugin_t,$1_javaplugin_tmp_t,$1_javaplugin_tmp_t)
 	files_tmp_filetrans($1_javaplugin_t,$1_javaplugin_tmp_t,{ file dir })
-	allow $1_javaplugin_t $1_javaplugin_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write };
+	manage_files_pattern($1_javaplugin_t,$1_javaplugin_tmpfs_t,$1_javaplugin_tmpfs_t)
-	allow $1_javaplugin_t $1_javaplugin_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+	manage_lnk_files_pattern($1_javaplugin_t,$1_javaplugin_tmpfs_t,$1_javaplugin_tmpfs_t)
-	allow $1_javaplugin_t $1_javaplugin_tmpfs_t:lnk_file { create read getattr setattr link unlink rename };
+	manage_fifo_files_pattern($1_javaplugin_t,$1_javaplugin_tmpfs_t,$1_javaplugin_tmpfs_t)
-	allow $1_javaplugin_t $1_javaplugin_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
+	manage_sock_files_pattern($1_javaplugin_t,$1_javaplugin_tmpfs_t,$1_javaplugin_tmpfs_t)
-	allow $1_javaplugin_t $1_javaplugin_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
+	fs_tmpfs_filetrans($1_javaplugin_t,$1_javaplugin_tmpfs_t,{ file lnk_file sock_file fifo_file })
 	fs_tmpfs_filetrans($1_javaplugin_t,$1_javaplugin_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
-	# cjp: rw_dir_perms here doesnt make sense
+	rw_files_pattern($1_javaplugin_t,$1_home_t,$1_home_t)
-	allow $1_javaplugin_t $1_home_t:dir rw_dir_perms;
+	read_files_pattern($1_javaplugin_t,$1_home_t,$1_home_t)
 	allow $1_javaplugin_t $1_home_t:file rw_file_perms;
 	allow $1_javaplugin_t $1_home_t:lnk_file { getattr read };
 	can_exec($1_javaplugin_t, java_exec_t)
@ -189,12 +186,7 @@ interface(`java_domtrans',`
 		')
 		corecmd_search_bin($1)
-		domain_auto_trans($1, java_exec_t, java_t)
+		domtrans_pattern($1, java_exec_t, java_t)
 		allow $1 java_t:fd use;
 		allow java_t $1:fd use;
 		allow java_t $1:fifo_file rw_file_perms;
 		allow java_t $1:process sigchld;
 	',`
 		refpolicywarn(`$0($1) has no effect in strict policy.')
 	')
--- a/policy/modules/apps/loadkeys.if
+++ b/policy/modules/apps/loadkeys.if
@ -17,12 +17,7 @@ interface(`loadkeys_domtrans',`
 		')
 		corecmd_search_bin($1)
-		domain_auto_trans($1, loadkeys_exec_t, loadkeys_t)
+		domtrans_pattern($1, loadkeys_exec_t, loadkeys_t)
 		allow $1 loadkeys_t:fd use;
 		allow loadkeys_t $1:fd use;
 		allow loadkeys_t $1:fifo_file rw_file_perms;
 		allow loadkeys_t $1:process sigchld;
 	',`
 		refpolicywarn(`$0($*) has no effect in targeted policy.')
 	')
--- a/policy/modules/apps/loadkeys.te
+++ b/policy/modules/apps/loadkeys.te
@ -30,7 +30,7 @@ ifdef(`targeted_policy',`
 	# loadkeys domain disabled in targeted policy
 ',`
 	allow loadkeys_t self:capability { setuid sys_tty_config };
-	allow loadkeys_t self:fifo_file rw_file_perms;
+	allow loadkeys_t self:fifo_file rw_fifo_file_perms;
 	kernel_read_system_state(loadkeys_t)
--- a/policy/modules/apps/lockdev.if
+++ b/policy/modules/apps/lockdev.if
@ -61,13 +61,9 @@ template(`lockdev_per_role_template',`
 	allow $1_lockdev_t $2:process signull;
 	# Transition from the user domain to the derived domain.
-	domain_auto_trans($2, lockdev_exec_t, $1_lockdev_t)
+	domtrans_pattern($2, lockdev_exec_t, $1_lockdev_t)
 	allow $2 $1_lockdev_t:fd use;
 	allow $1_lockdev_t $2:fd use;
 	allow $1_lockdev_t $2:fifo_file rw_file_perms;
 	allow $1_lockdev_t $2:process sigchld;
-	allow $1_lockdev_t $1_lockdev_lock_t:file create_file_perms;
+	allow $1_lockdev_t $1_lockdev_lock_t:file manage_file_perms;
 	files_lock_filetrans($1_lockdev_t,$1_lockdev_lock_t,file)
 	files_read_all_locks($1_lockdev_t)
--- a/policy/modules/apps/mono.if
+++ b/policy/modules/apps/mono.if
@ -16,10 +16,5 @@ interface(`mono_domtrans',`
 	')
 	corecmd_search_bin($1)
-	domain_auto_trans($1, mono_exec_t, mono_t)
+	domtrans_pattern($1, mono_exec_t, mono_t)
 	allow $1 mono_t:fd use;
 	allow mono_t $1:fd use;
 	allow mono_t $1:fifo_file rw_file_perms;
 	allow mono_t $1:process sigchld;
 ')
--- a/policy/modules/apps/mozilla.if
+++ b/policy/modules/apps/mozilla.if
@ -57,6 +57,7 @@ template(`mozilla_per_role_template',`
 	#
 	# Local policy
 	#
 	allow $1_mozilla_t self:capability { sys_nice setgid setuid };
 	allow $1_mozilla_t self:process { sigkill signal setsched getsched setrlimit };
 	allow $1_mozilla_t self:fifo_file { getattr read write };
@ -72,13 +73,13 @@ template(`mozilla_per_role_template',`
 	can_exec($1_mozilla_t, mozilla_exec_t)
 	# X access, Home files
-	allow $1_mozilla_t $1_mozilla_home_t:dir manage_dir_perms;
+	manage_dirs_pattern($1_mozilla_t,$1_mozilla_home_t,$1_mozilla_home_t)
-	allow $1_mozilla_t $1_mozilla_home_t:file manage_file_perms;
+	manage_files_pattern($1_mozilla_t,$1_mozilla_home_t,$1_mozilla_home_t)
-	allow $1_mozilla_t $1_mozilla_home_t:lnk_file create_lnk_perms;
+	manage_lnk_files_pattern($1_mozilla_t,$1_mozilla_home_t,$1_mozilla_home_t)
-	fs_search_auto_mountpoints($1_mozilla_t)
+	userdom_search_user_home_dirs($1,$1_mozilla_t)
 	# Mozpluggerrc
-	allow $1_mozilla_t mozilla_conf_t:file r_file_perms;
+	allow $1_mozilla_t mozilla_conf_t:file read_file_perms;
 	allow $1_mozilla_t $2:fd use;
 	allow $1_mozilla_t $2:process sigchld;
@ -89,28 +90,23 @@ template(`mozilla_per_role_template',`
 	allow $2 $1_mozilla_t:unix_stream_socket connectto;
 	# X access, Home files
-	allow $2 $1_mozilla_home_t:dir manage_dir_perms;
+	manage_dirs_pattern($2,$1_mozilla_home_t,$1_mozilla_home_t)
-	allow $2 $1_mozilla_home_t:file manage_file_perms;
+	manage_files_pattern($2,$1_mozilla_home_t,$1_mozilla_home_t)
-	allow $2 $1_mozilla_home_t:lnk_file create_lnk_perms;
+	manage_lnk_files_pattern($2,$1_mozilla_home_t,$1_mozilla_home_t)
-	allow $2 $1_mozilla_home_t:{ dir file lnk_file } { relabelfrom relabelto };
+	relabel_dirs_pattern($2,$1_mozilla_home_t,$1_mozilla_home_t)
-	userdom_search_user_home_dirs($1,$1_mozilla_t)
+	relabel_files_pattern($2,$1_mozilla_home_t,$1_mozilla_home_t)
 	relabel_lnk_files_pattern($2,$1_mozilla_home_t,$1_mozilla_home_t)
-	allow $1_mozilla_t $1_mozilla_tmpfs_t:dir rw_dir_perms;
+	manage_files_pattern($1_mozilla_t,$1_mozilla_tmpfs_t,$1_mozilla_tmpfs_t)
-	allow $1_mozilla_t $1_mozilla_tmpfs_t:file manage_file_perms;
+	manage_lnk_files_pattern($1_mozilla_t,$1_mozilla_tmpfs_t,$1_mozilla_tmpfs_t)
-	allow $1_mozilla_t $1_mozilla_tmpfs_t:lnk_file create_lnk_perms;
+	manage_fifo_files_pattern($1_mozilla_t,$1_mozilla_tmpfs_t,$1_mozilla_tmpfs_t)
-	allow $1_mozilla_t $1_mozilla_tmpfs_t:sock_file manage_file_perms;
+	manage_sock_files_pattern($1_mozilla_t,$1_mozilla_tmpfs_t,$1_mozilla_tmpfs_t)
-	allow $1_mozilla_t $1_mozilla_tmpfs_t:fifo_file manage_file_perms;
+	fs_tmpfs_filetrans($1_mozilla_t,$1_mozilla_tmpfs_t,{ file lnk_file sock_file fifo_file })
 	fs_tmpfs_filetrans($1_mozilla_t,$1_mozilla_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
 	# Unrestricted inheritance from the caller.
 	allow $2 $1_mozilla_t:process { noatsecure siginh rlimitinh };
 	allow $1_mozilla_t $2:process signull;
 	# Allow the user domain to signal/ps.
-	allow $2 $1_mozilla_t:dir { search getattr read };
+	ps_process_pattern($2,$1_mozilla_t)
 	allow $2 $1_mozilla_t:{ file lnk_file } { read getattr };
 	allow $2 $1_mozilla_t:process getattr;
 	allow $2 $1_mozilla_t:process signal_perms;
 	kernel_read_kernel_sysctls($1_mozilla_t)
@ -164,6 +160,7 @@ template(`mozilla_per_role_template',`
 	files_read_var_files($1_mozilla_t)
 	files_read_var_symlinks($1_mozilla_t)
 	fs_search_auto_mountpoints($1_mozilla_t)
 	fs_search_inotifyfs($1_mozilla_t)
 	fs_rw_tmpfs_files($1_mozilla_t)
@ -208,6 +205,8 @@ template(`mozilla_per_role_template',`
 	# Type transition
 	tunable_policy(`! disable_mozilla_trans',`
 		domain_auto_trans($2, mozilla_exec_t, $1_mozilla_t)
 		# Unrestricted inheritance from the caller.
 		allow $2 $1_mozilla_t:process { noatsecure siginh rlimitinh };
 	')
 	# Uploads, local html
--- a/policy/modules/apps/mplayer.if
+++ b/policy/modules/apps/mplayer.if
@ -61,26 +61,20 @@ template(`mplayer_per_role_template',`
 	# mencoder local policy
 	#
-	allow $1_mencoder_t $1_mplayer_home_t:dir create_dir_perms;
+	manage_dirs_pattern($1_mencoder_t,$1_mplayer_home_t,$1_mplayer_home_t)
-	allow $1_mencoder_t $1_mplayer_home_t:file create_file_perms;
+	manage_files_pattern($1_mencoder_t,$1_mplayer_home_t,$1_mplayer_home_t)
-	allow $1_mencoder_t $1_mplayer_home_t:lnk_file create_lnk_perms;
+	manage_lnk_files_pattern($1_mencoder_t,$1_mplayer_home_t,$1_mplayer_home_t)
 	# Read global config
-	allow $1_mencoder_t mplayer_etc_t:dir r_dir_perms;
+	allow $1_mencoder_t mplayer_etc_t:dir list_dir_perms;
-	allow $1_mencoder_t mplayer_etc_t:file r_file_perms;
+	read_files_pattern($1_mencoder_t,mplayer_etc_t,mplayer_etc_t)
-	allow $1_mencoder_t mplayer_etc_t:lnk_file { getattr read };
+	read_lnk_files_pattern($1_mencoder_t,mplayer_etc_t,mplayer_etc_t)
 	# domain transition
-	domain_auto_trans($2, mencoder_exec_t, $1_mencoder_t)
+	domtrans_pattern($2, mencoder_exec_t, $1_mencoder_t)
 	allow $2 $1_mencoder_t:fd use;
 	allow $1_mencoder_t $2:fd use;
 	allow $1_mencoder_t $2:fifo_file rw_file_perms;
 	allow $1_mencoder_t $2:process sigchld;
 	# Allow the user domain to signal/ps.
-	allow $2 $1_mencoder_t:dir { search getattr read };
+	ps_process_pattern($2,$1_mencoder_t,$1_mencoder_t)
 	allow $2 $1_mencoder_t:{ file lnk_file } { read getattr };
 	allow $2 $1_mencoder_t:process getattr;
 	allow $2 $1_mencoder_t:process signal_perms;
 	# Read /proc files and directories
@ -254,42 +248,37 @@ template(`mplayer_per_role_template',`
 	#
 	allow $1_mplayer_t self:process { signal_perms getsched };
-	allow $1_mplayer_t self:fifo_file rw_file_perms;
+	allow $1_mplayer_t self:fifo_file rw_fifo_file_perms;
-	allow $1_mplayer_t $1_mplayer_home_t:dir manage_dir_perms;
+	manage_dirs_pattern($1_mplayer_t,$1_mplayer_home_t,$1_mplayer_home_t)
-	allow $1_mplayer_t $1_mplayer_home_t:file manage_file_perms;
+	manage_files_pattern($1_mplayer_t,$1_mplayer_home_t,$1_mplayer_home_t)
-	allow $1_mplayer_t $1_mplayer_home_t:lnk_file create_lnk_perms;
+	manage_lnk_files_pattern($1_mplayer_t,$1_mplayer_home_t,$1_mplayer_home_t)
 	userdom_search_user_home_dirs($1,$1_mplayer_t)
-	allow $1_mplayer_t $1_mplayer_tmpfs_t:dir rw_dir_perms;
+	manage_files_pattern($1_mplayer_t,$1_mplayer_tmpfs_t,$1_mplayer_tmpfs_t)
-	allow $1_mplayer_t $1_mplayer_tmpfs_t:file manage_file_perms;
+	manage_lnk_files_pattern($1_mplayer_t,$1_mplayer_tmpfs_t,$1_mplayer_tmpfs_t)
-	allow $1_mplayer_t $1_mplayer_tmpfs_t:lnk_file create_lnk_perms;
+	manage_fifo_files_pattern($1_mplayer_t,$1_mplayer_tmpfs_t,$1_mplayer_tmpfs_t)
-	allow $1_mplayer_t $1_mplayer_tmpfs_t:sock_file manage_file_perms;
+	manage_sock_files_pattern($1_mplayer_t,$1_mplayer_tmpfs_t,$1_mplayer_tmpfs_t)
 	allow $1_mplayer_t $1_mplayer_tmpfs_t:fifo_file manage_file_perms;
 	fs_tmpfs_filetrans($1_mplayer_t,$1_mplayer_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
 	# Read global config
-	allow $1_mplayer_t mplayer_etc_t:dir r_dir_perms;
+	allow $1_mplayer_t mplayer_etc_t:dir list_dir_perms;
-	allow $1_mplayer_t mplayer_etc_t:file r_file_perms;
+	read_files_pattern($1_mplayer_t,mplayer_etc_t,mplayer_etc_t)
-	allow $1_mplayer_t mplayer_etc_t:lnk_file { getattr read };
+	read_lnk_files_pattern($1_mplayer_t,mplayer_etc_t,mplayer_etc_t)
 	# Home access
-	allow $2 $1_mplayer_home_t:dir manage_dir_perms;
+	manage_dirs_pattern($2,$1_mplayer_home_t,$1_mplayer_home_t)
-	allow $2 $1_mplayer_home_t:file manage_file_perms;
+	manage_files_pattern($2,$1_mplayer_home_t,$1_mplayer_home_t)
-	allow $2 $1_mplayer_home_t:lnk_file create_lnk_perms;
+	manage_lnk_files_pattern($2,$1_mplayer_home_t,$1_mplayer_home_t)
-	allow $2 $1_mplayer_home_t:{ dir file lnk_file } { relabelfrom relabelto };
+	relabel_dirs_pattern($2,$1_mplayer_home_t,$1_mplayer_home_t)
 	relabel_files_pattern($2,$1_mplayer_home_t,$1_mplayer_home_t)
 	relabel_lnk_files_pattern($2,$1_mplayer_home_t,$1_mplayer_home_t)
 	# domain transition
-	domain_auto_trans($2, mplayer_exec_t, $1_mplayer_t)
+	domtrans_pattern($2, mplayer_exec_t, $1_mplayer_t)
 	allow $2 $1_mplayer_t:fd use;
 	allow $1_mplayer_t $2:fd use;
 	allow $1_mplayer_t $2:fifo_file rw_file_perms;
 	allow $1_mplayer_t $2:process sigchld;
 	# Allow the user domain to signal/ps.
-	allow $2 $1_mplayer_t:dir { search getattr read };
+	ps_process_pattern($2,$1_mplayer_t)
 	allow $2 $1_mplayer_t:{ file lnk_file } { read getattr };
 	allow $2 $1_mplayer_t:process getattr;
 	allow $2 $1_mplayer_t:process signal_perms;
 	kernel_dontaudit_list_unlabeled($1_mplayer_t)
--- a/policy/modules/apps/rssh.if
+++ b/policy/modules/apps/rssh.if
@ -53,7 +53,7 @@ template(`rssh_per_role_template',`
 	allow $1_rssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 	allow $1_rssh_t self:fd use;
-	allow $1_rssh_t self:fifo_file rw_file_perms;
+	allow $1_rssh_t self:fifo_file rw_fifo_file_perms;
 	allow $1_rssh_t self:unix_dgram_socket create_socket_perms;
 	allow $1_rssh_t self:unix_stream_socket create_stream_socket_perms;
 	allow $1_rssh_t self:unix_dgram_socket sendto;
@ -67,10 +67,10 @@ template(`rssh_per_role_template',`
 	term_create_pty($1_rssh_t,$1_rssh_devpts_t)
 	allow $1_rssh_t $1_rssh_ro_t:dir list_dir_perms;
-	allow $1_rssh_t $1_rssh_ro_t:file read_file_perms;
+	read_files_pattern($1_rssh_t,$1_rssh_ro_t,$1_rssh_ro_t)
-	allow $1_rssh_t $1_rssh_rw_t:dir manage_dir_perms;
+	manage_dirs_pattern($1_rssh_t,$1_rssh_rw_t,$1_rssh_rw_t)
-	allow $1_rssh_t $1_rssh_rw_t:file manage_file_perms;
+	manage_files_pattern($1_rssh_t,$1_rssh_rw_t,$1_rssh_rw_t)
 	kernel_read_system_state($1_rssh_t)
 	kernel_read_kernel_sysctls($1_rssh_t)
@ -116,10 +116,7 @@ interface(`rssh_spec_domtrans_all_users',`
 		type rssh_exec_t;
 	')
-	domain_trans($1,rssh_exec_t,rssh_domain_type)
+	spec_domtrans_pattern($1,rssh_exec_t,rssh_domain_type)
 	allow rssh_domain_type $1:fd use;
 	allow rssh_domain_type $1:fifo_file rw_file_perms;
 	allow rssh_domain_type $1:process sigchld;
 ')
 ########################################
@ -137,7 +134,7 @@ interface(`rssh_read_all_users_ro_content',`
 		attribute rssh_ro_content_type;
 	')
-	allow $1 rssh_ro_content_type:dir r_dir_perms;
+	allow $1 rssh_ro_content_type:dir list_dir_perms;
-	allow $1 rssh_ro_content_type:file r_file_perms;
+	read_files_pattern($1,rssh_ro_content_type,rssh_ro_content_type)
-	allow $1 rssh_ro_content_type:lnk_file { getattr read };
+	read_lnk_files_pattern($1,rssh_ro_content_type,rssh_ro_content_type)
 ')
--- a/policy/modules/apps/screen.if
+++ b/policy/modules/apps/screen.if
@ -71,33 +71,33 @@ template(`screen_per_role_template',`
 	allow $1_screen_t self:unix_stream_socket create_socket_perms;
 	allow $1_screen_t self:unix_dgram_socket create_socket_perms;
-	allow $1_screen_t $1_screen_tmp_t:dir create_dir_perms;
+	manage_dirs_pattern($1_screen_t,$1_screen_tmp_t,$1_screen_tmp_t)
-	allow $1_screen_t $1_screen_tmp_t:file create_file_perms;
+	manage_files_pattern($1_screen_t,$1_screen_tmp_t,$1_screen_tmp_t)
-	allow $1_screen_t $1_screen_tmp_t:fifo_file create_file_perms;
+	manage_fifo_files_pattern($1_screen_t,$1_screen_tmp_t,$1_screen_tmp_t)
 	files_tmp_filetrans($1_screen_t, $1_screen_tmp_t, { file dir })
 	# Create fifo
-	allow $1_screen_t screen_dir_t:dir rw_dir_perms;
+	manage_fifo_files_pattern($1_screen_t,screen_dir_t,$1_screen_var_run_t)
-	allow $1_screen_t screen_dir_t:dir create_dir_perms;
+	manage_dirs_pattern($1_screen_t,screen_dir_t,screen_dir_t)
-	allow $1_screen_t $1_screen_var_run_t:fifo_file create_file_perms;
+	filetrans_pattern($1_screen_t,screen_dir_t,$1_screen_var_run_t,fifo_file)
 	type_transition $1_screen_t screen_dir_t:fifo_file $1_screen_var_run_t;
 	files_pid_filetrans($1_screen_t,screen_dir_t,dir)
-	allow $1_screen_t $1_screen_ro_home_t:dir r_dir_perms;
+	allow $1_screen_t $1_screen_ro_home_t:dir list_dir_perms;
-	allow $1_screen_t $1_screen_ro_home_t:file r_file_perms;
+	read_files_pattern($1_screen_t,$1_screen_ro_home_t,$1_screen_ro_home_t)
-	allow $1_screen_t $1_screen_ro_home_t:lnk_file { read getattr };
+	read_lnk_files_pattern($1_screen_t,$1_screen_ro_home_t,$1_screen_ro_home_t)
-	domain_auto_trans($2, screen_exec_t, $1_screen_t)
+	allow $1_screen_t $2:process signal;
 	domtrans_pattern($2, screen_exec_t, $1_screen_t)
 	allow $2 $1_screen_t:process signal;
-	allow $1_screen_t $2:process { signal sigchld };
+	allow $1_screen_t $2:process signal;
 	allow $1_screen_t $2:fd use;
 	allow $1_screen_t $2:fifo_file rw_file_perms;
 	allow $1_screen_t $1_home_dir_t:dir { search getattr };
-	allow $2 $1_screen_ro_home_t:dir create_dir_perms;
+	manage_dirs_pattern($2,$1_screen_ro_home_t,$1_screen_ro_home_t)
-	allow $2 $1_screen_ro_home_t:file create_file_perms;
+	manage_files_pattern($2,$1_screen_ro_home_t,$1_screen_ro_home_t)
-	allow $2 $1_screen_ro_home_t:lnk_file create_lnk_perms;
+	manage_lnk_files_pattern($2,$1_screen_ro_home_t,$1_screen_ro_home_t)
-	allow $2 $1_screen_ro_home_t:{ dir file lnk_file } { relabelfrom relabelto };
+	relabel_dirs_pattern($2,$1_screen_ro_home_t,$1_screen_ro_home_t)
 	relabel_files_pattern($2,$1_screen_ro_home_t,$1_screen_ro_home_t)
 	relabel_lnk_files_pattern($2,$1_screen_ro_home_t,$1_screen_ro_home_t)
 	kernel_read_system_state($1_screen_t)
 	kernel_read_kernel_sysctls($1_screen_t)
@ -190,11 +190,4 @@ template(`screen_per_role_template',`
 	optional_policy(`
 		nscd_socket_use($1_screen_t)
 	')
 	ifdef(`TODO',`
 	# Inherit and use descriptors from gnome-pty-helper.
 	optional_policy(`
 		allow $1_screen_t $1_gph_t:fd use;
 	')
 	') dnl TODO
 ')
--- a/policy/modules/apps/slocate.if
+++ b/policy/modules/apps/slocate.if
@ -16,6 +16,6 @@ interface(`slocate_create_append_log',`
 	')
 	logging_search_logs($1)
-	allow $1 locate_log_t:dir ra_dir_perms;
+	create_files_pattern($1,locate_log_t,locate_log_t)
-	allow $1 locate_log_t:file { create append getattr };
+	append_files_pattern($1,locate_log_t,locate_log_t)
 ')
--- a/policy/modules/apps/slocate.te
+++ b/policy/modules/apps/slocate.te
@ -23,11 +23,11 @@ files_type(locate_var_lib_t)
 allow locate_t self:capability { chown dac_read_search dac_override fowner fsetid };
 allow locate_t self:process { execmem execheap execstack };
-allow locate_t self:fifo_file rw_file_perms;
+allow locate_t self:fifo_file rw_fifo_file_perms;
 allow locate_t self:unix_stream_socket create_socket_perms;
-allow locate_t locate_var_lib_t:dir create_dir_perms;
+manage_dirs_pattern(locate_t,locate_var_lib_t,locate_var_lib_t)
-allow locate_t locate_var_lib_t:file create_file_perms;
+manage_files_pattern(locate_t,locate_var_lib_t,locate_var_lib_t)
 kernel_read_system_state(locate_t)
 kernel_dontaudit_search_sysctl(locate_t)
--- a/policy/modules/apps/thunderbird.if
+++ b/policy/modules/apps/thunderbird.if
@ -64,16 +64,15 @@ template(`thunderbird_per_role_template',`
 	allow $1_thunderbird_t self:shm { read write create destroy unix_read unix_write };
 	# Access ~/.thunderbird
-	allow $1_thunderbird_t $1_thunderbird_home_t:dir manage_dir_perms;
+	manage_dirs_pattern($1_thunderbird_t,$1_thunderbird_home_t,$1_thunderbird_home_t)
-	allow $1_thunderbird_t $1_thunderbird_home_t:file manage_file_perms;
+	manage_files_pattern($1_thunderbird_t,$1_thunderbird_home_t,$1_thunderbird_home_t)
-	allow $1_thunderbird_t $1_thunderbird_home_t:lnk_file create_lnk_perms;
+	manage_lnk_files_pattern($1_thunderbird_t,$1_thunderbird_home_t,$1_thunderbird_home_t)
 	userdom_search_user_home_dirs($1,$1_thunderbird_t)
-	allow $1_thunderbird_t $1_thunderbird_tmpfs_t:dir rw_dir_perms;
+	manage_files_pattern($1_thunderbird_t,$1_thunderbird_tmpfs_t,$1_thunderbird_tmpfs_t)
-	allow $1_thunderbird_t $1_thunderbird_tmpfs_t:file manage_file_perms;
+	manage_lnk_files_pattern($1_thunderbird_t,$1_thunderbird_tmpfs_t,$1_thunderbird_tmpfs_t)
-	allow $1_thunderbird_t $1_thunderbird_tmpfs_t:lnk_file create_lnk_perms;
+	manage_fifo_files_pattern($1_thunderbird_t,$1_thunderbird_tmpfs_t,$1_thunderbird_tmpfs_t)
-	allow $1_thunderbird_t $1_thunderbird_tmpfs_t:sock_file manage_file_perms;
+	manage_sock_files_pattern($1_thunderbird_t,$1_thunderbird_tmpfs_t,$1_thunderbird_tmpfs_t)
 	allow $1_thunderbird_t $1_thunderbird_tmpfs_t:fifo_file manage_file_perms;
 	fs_tmpfs_filetrans($1_thunderbird_t,$1_thunderbird_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
 	allow $2 $1_thunderbird_t:fd use;
@ -84,15 +83,15 @@ template(`thunderbird_per_role_template',`
 	allow $1_thunderbird_t $2:unix_stream_socket connectto;
 	# Allow the user domain to signal/ps.
-	allow $2 $1_thunderbird_t:dir { search getattr read };
+	ps_process_pattern($2,$1_thunderbird_t)
 	allow $2 $1_thunderbird_t:{ file lnk_file } { read getattr };
 	allow $2 $1_thunderbird_t:process getattr;
 	# Access ~/.thunderbird
-	allow $2 $1_thunderbird_home_t:dir manage_dir_perms;
+	manage_dirs_pattern($2,$1_thunderbird_home_t,$1_thunderbird_home_t)
-	allow $2 $1_thunderbird_home_t:file manage_file_perms;
+	manage_files_pattern($2,$1_thunderbird_home_t,$1_thunderbird_home_t)
-	allow $2 $1_thunderbird_home_t:lnk_file create_lnk_perms;
+	manage_lnk_files_pattern($2,$1_thunderbird_home_t,$1_thunderbird_home_t)
-	allow $2 $1_thunderbird_home_t:{ dir file lnk_file } { relabelfrom relabelto };
+	relabel_dirs_pattern($2,$1_thunderbird_home_t,$1_thunderbird_home_t)
 	relabel_files_pattern($2,$1_thunderbird_home_t,$1_thunderbird_home_t)
 	relabel_lnk_files_pattern($2,$1_thunderbird_home_t,$1_thunderbird_home_t)
 	# Allow netstat
 	kernel_read_network_state($1_thunderbird_t)
--- a/policy/modules/apps/tvtime.if
+++ b/policy/modules/apps/tvtime.if
@ -65,40 +65,34 @@ template(`tvtime_per_role_template',`
 	allow $1_tvtime_t self:unix_stream_socket rw_stream_socket_perms;
 	# X access, Home files
-	allow $1_tvtime_t $1_tvtime_home_t:dir manage_dir_perms;
+	manage_dirs_pattern($1_tvtime_t,$1_tvtime_home_t,$1_tvtime_home_t)
-	allow $1_tvtime_t $1_tvtime_home_t:file manage_file_perms;
+	manage_files_pattern($1_tvtime_t,$1_tvtime_home_t,$1_tvtime_home_t)
-	allow $1_tvtime_t $1_tvtime_home_t:lnk_file create_lnk_perms;
+	manage_lnk_files_pattern($1_tvtime_t,$1_tvtime_home_t,$1_tvtime_home_t)
 	type_transition $1_tvtime_t $1_home_dir_t:dir $1_tvtime_home_t;
 	userdom_user_home_dir_filetrans($1,$1_tvtime_t,$1_tvtime_home_t,dir)
-	allow $1_tvtime_t $1_tvtime_tmp_t:dir create_dir_perms;
+	manage_dirs_pattern($1_tvtime_t,$1_tvtime_tmp_t,$1_tvtime_tmp_t)
-	allow $1_tvtime_t $1_tvtime_tmp_t:file create_file_perms;
+	manage_files_pattern($1_tvtime_t,$1_tvtime_tmp_t,$1_tvtime_tmp_t)
-	files_tmp_filetrans($1_tvtime_t, $1_tvtime_tmp_t, { file dir fifo_file })
+	files_tmp_filetrans($1_tvtime_t, $1_tvtime_tmp_t,{ file dir })
-	allow $1_tvtime_t $1_tvtime_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write };
+	manage_files_pattern($1_tvtime_t,$1_tvtime_tmpfs_t,$1_tvtime_tmpfs_t)
-	allow $1_tvtime_t $1_tvtime_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+	manage_lnk_files_pattern($1_tvtime_t,$1_tvtime_tmpfs_t,$1_tvtime_tmpfs_t)
-	allow $1_tvtime_t $1_tvtime_tmpfs_t:lnk_file { create read getattr setattr link unlink rename };
+	manage_fifo_files_pattern($1_tvtime_t,$1_tvtime_tmpfs_t,$1_tvtime_tmpfs_t)
-	allow $1_tvtime_t $1_tvtime_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
+	manage_sock_files_pattern($1_tvtime_t,$1_tvtime_tmpfs_t,$1_tvtime_tmpfs_t)
-	allow $1_tvtime_t $1_tvtime_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
+	fs_tmpfs_filetrans($1_tvtime_t,$1_tvtime_tmpfs_t,{ file lnk_file sock_file fifo_file })
 	fs_tmpfs_filetrans($1_tvtime_t,$1_tvtime_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
 	# Type transition
-	domain_auto_trans($2, tvtime_exec_t, $1_tvtime_t)
+	domtrans_pattern($2, tvtime_exec_t, $1_tvtime_t)
 	allow $2 $1_tvtime_t:fd use;
 	allow $1_tvtime_t $2:fd use;
 	allow $1_tvtime_t $2:fifo_file rw_file_perms;
 	allow $1_tvtime_t $2:process sigchld;
 	# X access, Home files
-	allow $2 $1_tvtime_home_t:dir manage_dir_perms;
+	manage_dirs_pattern($2,$1_tvtime_home_t,$1_tvtime_home_t)
-	allow $2 $1_tvtime_home_t:file manage_file_perms;
+	manage_files_pattern($2,$1_tvtime_home_t,$1_tvtime_home_t)
-	allow $2 $1_tvtime_home_t:lnk_file create_lnk_perms;
+	manage_lnk_files_pattern($2,$1_tvtime_home_t,$1_tvtime_home_t)
-	allow $2 $1_tvtime_home_t:{ dir file lnk_file } { relabelfrom relabelto };
+	relabel_dirs_pattern($2,$1_tvtime_home_t,$1_tvtime_home_t)
 	relabel_files_pattern($2,$1_tvtime_home_t,$1_tvtime_home_t)
 	relabel_lnk_files_pattern($2,$1_tvtime_home_t,$1_tvtime_home_t)
 	# Allow the user domain to signal/ps.
-	allow $2 $1_tvtime_t:dir { search getattr read };
+	ps_process_pattern($2,$1_tvtime_t)
 	allow $2 $1_tvtime_t:{ file lnk_file } { read getattr };
 	allow $2 $1_tvtime_t:process getattr;
 	allow $2 $1_tvtime_t:process signal_perms;
 	kernel_read_all_sysctls($1_tvtime_t)
--- a/policy/modules/apps/uml.if
+++ b/policy/modules/apps/uml.if
@ -64,7 +64,8 @@ template(`uml_per_role_template',`
 	#
 	# Local policy
 	#
-	allow $1_uml_t self:fifo_file rw_file_perms;
+
 	allow $1_uml_t self:fifo_file rw_fifo_file_perms;
 	allow $1_uml_t self:process { signal_perms ptrace };
 	allow $1_uml_t self:unix_stream_socket create_stream_socket_perms;
 	allow $1_uml_t self:unix_dgram_socket create_socket_perms;
@ -79,52 +80,58 @@ template(`uml_per_role_template',`
 	allow $1_uml_t $1_uml_devpts_t:chr_file { rw_file_perms setattr };
 	term_create_pty($1_uml_t,$1_uml_devpts_t)
-	allow $1_uml_t $1_uml_tmp_t:dir create_dir_perms;
+	manage_dirs_pattern($1_uml_t,$1_uml_tmp_t,$1_uml_tmp_t)
-	allow $1_uml_t $1_uml_tmp_t:file create_file_perms;
+	manage_files_pattern($1_uml_t,$1_uml_tmp_t,$1_uml_tmp_t)
 	files_tmp_filetrans($1_uml_t, $1_uml_tmp_t, { file dir })
 	can_exec($1_uml_t, $1_uml_tmp_t)
-	allow $1_uml_t $1_uml_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write };
+	manage_files_pattern($1_uml_t,$1_uml_tmpfs_t,$1_uml_tmpfs_t)
-	allow $1_uml_t $1_uml_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+	manage_lnk_files_pattern($1_uml_t,$1_uml_tmpfs_t,$1_uml_tmpfs_t)
-	allow $1_uml_t $1_uml_tmpfs_t:lnk_file { create read getattr setattr link unlink rename };
+	manage_fifo_files_pattern($1_uml_t,$1_uml_tmpfs_t,$1_uml_tmpfs_t)
-	allow $1_uml_t $1_uml_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
+	manage_sock_files_pattern($1_uml_t,$1_uml_tmpfs_t,$1_uml_tmpfs_t)
-	allow $1_uml_t $1_uml_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
+	fs_tmpfs_filetrans($1_uml_t,$1_uml_tmpfs_t,{ file lnk_file sock_file fifo_file })
 	fs_tmpfs_filetrans($1_uml_t,$1_uml_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
 	can_exec($1_uml_t, $1_uml_tmpfs_t)
 	# access config files
-	allow $1_uml_t { $1_uml_ro_t uml_ro_t }:dir r_dir_perms;
+	allow $1_uml_t { $1_uml_ro_t uml_ro_t }:dir list_dir_perms;
-	allow $1_uml_t { $1_uml_ro_t uml_ro_t }:file r_file_perms;
+	read_files_pattern($1_uml_t,{ $1_uml_ro_t uml_ro_t },{ $1_uml_ro_t uml_ro_t })
-	allow $1_uml_t { $1_uml_ro_t uml_ro_t }:lnk_file { getattr read };
+	read_lnk_files_pattern($1_uml_t,{ $1_uml_ro_t uml_ro_t },{ $1_uml_ro_t uml_ro_t })
-	allow $1_uml_t $1_uml_rw_t:dir create_dir_perms;
+	manage_dirs_pattern($1_uml_t,$1_uml_rw_t,$1_uml_rw_t)
-	allow $1_uml_t $1_uml_rw_t:file create_file_perms;
+	manage_files_pattern($1_uml_t,$1_uml_rw_t,$1_uml_rw_t)
-	allow $1_uml_t $1_uml_rw_t:lnk_file create_lnk_perms;
+	manage_lnk_files_pattern($1_uml_t,$1_uml_rw_t,$1_uml_rw_t)
-	allow $1_uml_t $1_uml_rw_t:sock_file create_file_perms;
+	manage_fifo_files_pattern($1_uml_t,$1_uml_rw_t,$1_uml_rw_t)
-	allow $1_uml_t $1_uml_rw_t:fifo_file create_file_perms;
+	manage_sock_files_pattern($1_uml_t,$1_uml_rw_t,$1_uml_rw_t)
 	userdom_user_home_dir_filetrans($1,$1_uml_t,$1_uml_rw_t,{ file lnk_file sock_file fifo_file })
-	allow $2 uml_ro_t:dir r_dir_perms;
+	allow $2 uml_ro_t:dir list_dir_perms;
-	allow $2 uml_ro_t:file r_file_perms;
+	read_files_pattern($2,uml_ro_t,uml_ro_t)
-	allow $2 uml_ro_t:lnk_file { getattr read };
+	read_lnk_files_pattern($2,uml_ro_t,uml_ro_t)
-	allow $2 { $1_uml_ro_t $1_uml_rw_t }:{ file sock_file fifo_file } { relabelfrom relabelto create_file_perms };
+	manage_dirs_pattern($2,{ $1_uml_ro_t $1_uml_rw_t },{ $1_uml_ro_t $1_uml_rw_t })
-	allow $2 { $1_uml_ro_t $1_uml_rw_t }:lnk_file { relabelfrom relabelto create_lnk_perms };
+	manage_files_pattern($2,{ $1_uml_ro_t $1_uml_rw_t },{ $1_uml_ro_t $1_uml_rw_t })
-	allow $2 { $1_uml_ro_t $1_uml_rw_t $1_uml_exec_t }:dir { relabelfrom relabelto create_dir_perms };
+	manage_lnk_files_pattern($2,{ $1_uml_ro_t $1_uml_rw_t },{ $1_uml_ro_t $1_uml_rw_t })
-	allow $2 $1_uml_exec_t:file { relabelfrom relabelto create_file_perms };
+	manage_fifo_files_pattern($2,{ $1_uml_ro_t $1_uml_rw_t },{ $1_uml_ro_t $1_uml_rw_t })
 	manage_sock_files_pattern($2,{ $1_uml_ro_t $1_uml_rw_t },{ $1_uml_ro_t $1_uml_rw_t })
 	relabel_dirs_pattern($2,{ $1_uml_ro_t $1_uml_rw_t },{ $1_uml_ro_t $1_uml_rw_t })
 	relabel_files_pattern($2,{ $1_uml_ro_t $1_uml_rw_t },{ $1_uml_ro_t $1_uml_rw_t })
 	relabel_lnk_files_pattern($2,{ $1_uml_ro_t $1_uml_rw_t },{ $1_uml_ro_t $1_uml_rw_t })
 	relabel_fifo_files_pattern($2,{ $1_uml_ro_t $1_uml_rw_t },{ $1_uml_ro_t $1_uml_rw_t })
 	relabel_sock_files_pattern($2,{ $1_uml_ro_t $1_uml_rw_t },{ $1_uml_ro_t $1_uml_rw_t })
-	allow $2 $1_uml_t:process ptrace;
+	manage_dirs_pattern($2,{ $1_uml_ro_t $1_uml_rw_t $1_uml_exec_t },{ $1_uml_ro_t $1_uml_rw_t $1_uml_exec_t })
-	allow $2 $1_uml_t:process signal_perms;
+	manage_files_pattern($2,{ $1_uml_ro_t $1_uml_rw_t $1_uml_exec_t },{ $1_uml_ro_t $1_uml_rw_t $1_uml_exec_t })
 	relabel_dirs_pattern($2,{ $1_uml_ro_t $1_uml_rw_t $1_uml_exec_t },{ $1_uml_ro_t $1_uml_rw_t $1_uml_exec_t })
 	relabel_files_pattern($2,{ $1_uml_ro_t $1_uml_rw_t $1_uml_exec_t },{ $1_uml_ro_t $1_uml_rw_t $1_uml_exec_t })
 	# allow ps, ptrace, signal
-	allow $2 $1_uml_t:dir { search getattr read };
+	ps_process_pattern($2,$1_uml_t)
-	allow $2 $1_uml_t:{ file lnk_file } { read getattr };
+	allow $2 $1_uml_t:process { ptrace signal_perms };
 	allow $2 $1_uml_t:process getattr;
-	allow $2 $1_uml_tmp_t:dir create_dir_perms;
+	manage_dirs_pattern($2,$1_uml_tmp_t,$1_uml_tmp_t)
-	allow $2 $1_uml_tmp_t:file create_file_perms;
+	manage_files_pattern($2,$1_uml_tmp_t,$1_uml_tmp_t)
-	allow $2 $1_uml_tmp_t:lnk_file create_lnk_perms;
+	manage_lnk_files_pattern($2,$1_uml_tmp_t,$1_uml_tmp_t)
-	allow $2 $1_uml_tmp_t:sock_file create_file_perms;
+	manage_sock_files_pattern($2,$1_uml_tmp_t,$1_uml_tmp_t)
 	# Transition from the user domain to this domain.
 	domain_auto_trans($2, { uml_exec_t $1_uml_exec_t }, $1_uml_t)
@ -245,7 +252,6 @@ interface(`uml_manage_util_files',`
 		type uml_switch_var_run_t;
 	')
-	allow $1 uml_switch_var_run_t:dir rw_dir_perms;
+	manage_files_pattern($1,uml_switch_var_run_t,uml_switch_var_run_t)
-	allow $1 uml_switch_var_run_t:file create_file_perms;
+	manage_lnk_files_pattern($1,uml_switch_var_run_t,uml_switch_var_run_t)
 	allow $1 uml_switch_var_run_t:lnk_file create_lnk_perms;
 ')
--- a/policy/modules/apps/uml.te
+++ b/policy/modules/apps/uml.te
@ -29,9 +29,8 @@ allow uml_switch_t self:process signal_perms;
 allow uml_switch_t self:unix_dgram_socket create_socket_perms;
 allow uml_switch_t self:unix_stream_socket create_stream_socket_perms;
-allow uml_switch_t uml_switch_var_run_t:sock_file create_file_perms;
+manage_files_pattern(uml_switch_t,uml_switch_var_run_t,uml_switch_var_run_t)
-allow uml_switch_t uml_switch_var_run_t:file create_file_perms;
+manage_sock_files_pattern(uml_switch_t,uml_switch_var_run_t,uml_switch_var_run_t)
 allow uml_switch_t uml_switch_var_run_t:dir rw_dir_perms;
 files_pid_filetrans(uml_switch_t,uml_switch_var_run_t,file)
 kernel_read_kernel_sysctls(uml_switch_t)
--- a/policy/modules/apps/userhelper.if
+++ b/policy/modules/apps/userhelper.if
@ -57,8 +57,9 @@ template(`userhelper_per_role_template',`
 	#
 	allow $1_userhelper_t self:capability { setuid setgid net_bind_service dac_override chown sys_tty_config };
 	allow $1_userhelper_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 	allow $1_userhelper_t self:process setexec;
 	allow $1_userhelper_t self:fd use;
-	allow $1_userhelper_t self:fifo_file rw_file_perms;
+	allow $1_userhelper_t self:fifo_file rw_fifo_file_perms;
 	allow $1_userhelper_t self:shm create_shm_perms;
 	allow $1_userhelper_t self:sem create_sem_perms;
 	allow $1_userhelper_t self:msgq create_msgq_perms;
@ -67,19 +68,13 @@ template(`userhelper_per_role_template',`
 	allow $1_userhelper_t self:unix_stream_socket create_stream_socket_perms;
 	allow $1_userhelper_t self:unix_dgram_socket sendto;
 	allow $1_userhelper_t self:unix_stream_socket connectto;
-	allow $1_userhelper_t self:sock_file r_file_perms;
+	allow $1_userhelper_t self:sock_file read_sock_file_perms;
 	#Transition to the derived domain.
-	domain_auto_trans($2,userhelper_exec_t,$1_userhelper_t)
+	domtrans_pattern($2,userhelper_exec_t,$1_userhelper_t)
 	allow $2 $1_userhelper_t:fd use;
 	allow $1_userhelper_t $2:fd use;
 	allow $1_userhelper_t $2:fifo_file rw_file_perms;
 	allow $1_userhelper_t $2:process sigchld;
 	allow $1_userhelper_t self:process setexec;
 	allow $1_userhelper_t userhelper_conf_t:file rw_file_perms;
 	allow $1_userhelper_t userhelper_conf_t:dir rw_dir_perms;
 	rw_files_pattern($1_userhelper_t,userhelper_conf_t,userhelper_conf_t)
 	can_exec($1_userhelper_t, userhelper_exec_t)
@ -199,11 +194,11 @@ template(`userhelper_per_role_template',`
 			allow $1_userhelper_t gphdomain:fd use;
 		')
 		optional_policy(`
-			domain_auto_trans($1_userhelper_t, xauth_exec_t, $1_xauth_t)
+			domtrans_pattern($1_userhelper_t, xauth_exec_t, $1_xauth_t)
 			allow $1_userhelper_t $1_xauth_home_t:file { getattr read };
 		')
 		optional_policy(`
-			domain_auto_trans($1_mozilla_t, userhelper_exec_t, $1_userhelper_t)
+			domtrans_pattern($1_mozilla_t, userhelper_exec_t, $1_userhelper_t)
 		')
 		# for when the network connection is killed
 		dontaudit unpriv_userdomain $1_userhelper_t:process signal;
@ -269,6 +264,7 @@ template(`userhelper_use_user_fd',`
 	allow $2 $1_userhelper_t:fd use;
 ')
 ########################################
 ## <summary>
 ##	Allow domain to send sigchld to userhelper.
--- a/policy/modules/apps/usernetctl.if
+++ b/policy/modules/apps/usernetctl.if
@ -16,12 +16,7 @@ interface(`usernetctl_domtrans',`
 	')
 	tunable_policy(`user_net_control',`
-		domain_auto_trans($1,usernetctl_exec_t,usernetctl_t)
+		domtrans_pattern($1,usernetctl_exec_t,usernetctl_t)
 		allow $1 usernetctl_t:fd use;
 		allow usernetctl_t $1:fd use;
 		allow usernetctl_t $1:fifo_file rw_file_perms;
 		allow usernetctl_t $1:process sigchld;
 	',`
 		can_exec($1,usernetctl_exec_t)
 	')
--- a/policy/modules/apps/usernetctl.te
+++ b/policy/modules/apps/usernetctl.te
@ -20,7 +20,7 @@ domain_interactive_fd(usernetctl_t)
 allow usernetctl_t self:capability { setuid setgid dac_override };
 allow usernetctl_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow usernetctl_t self:fd use;
-allow usernetctl_t self:fifo_file rw_file_perms;
+allow usernetctl_t self:fifo_file rw_fifo_file_perms;
 allow usernetctl_t self:shm create_shm_perms;
 allow usernetctl_t self:sem create_sem_perms;
 allow usernetctl_t self:msgq create_msgq_perms;
--- a/policy/modules/apps/vmware.if
+++ b/policy/modules/apps/vmware.if
@ -64,17 +64,12 @@ template(`vmware_per_role_template',`
 	# Local policy
 	#
 	domain_auto_trans($2, vmware_exec_t, $1_vmware_t)
 	allow $1_vmware_t $2:fd use;
 	allow $1_vmware_t $2:fifo_file rw_file_perms;
 	allow $1_vmware_t $2:process sigchld;
 	allow $1_vmware_t self:capability { dac_override setgid sys_nice sys_resource setuid sys_admin sys_rawio chown };
 	dontaudit $1_vmware_t self:capability sys_tty_config;
 	allow $1_vmware_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 	allow $1_vmware_t self:process { execmem execstack };
 	allow $1_vmware_t self:fd use;
-	allow $1_vmware_t self:fifo_file rw_file_perms;
+	allow $1_vmware_t self:fifo_file rw_fifo_file_perms;
 	allow $1_vmware_t self:unix_dgram_socket create_socket_perms;
 	allow $1_vmware_t self:unix_stream_socket create_stream_socket_perms;
 	allow $1_vmware_t self:unix_dgram_socket sendto;
@ -90,33 +85,34 @@ template(`vmware_per_role_template',`
 	allow $1_vmware_t $1_vmware_conf_t:file manage_file_perms;
 	# VMWare disks
-	allow $1_vmware_t $1_vmware_file_t:dir rw_dir_perms;
+	manage_files_pattern($1_vmware_t,$1_vmware_file_t,$1_vmware_file_t)
-	allow $1_vmware_t $1_vmware_file_t:file manage_file_perms;
+	manage_lnk_files_pattern($1_vmware_t,$1_vmware_file_t,$1_vmware_file_t)
 	allow $1_vmware_t $1_vmware_file_t:lnk_file create_lnk_perms;
-	allow $1_vmware_t $1_vmware_tmp_t:dir manage_dir_perms;
+	allow $1_vmware_t $1_vmware_tmp_t:file execute;
-	allow $1_vmware_t $1_vmware_tmp_t:file { manage_file_perms execute };
+	manage_dirs_pattern($1_vmware_t,$1_vmware_tmp_t,$1_vmware_tmp_t)
-	allow $1_vmware_t $1_vmware_tmp_t:sock_file manage_file_perms;
+	manage_files_pattern($1_vmware_t,$1_vmware_tmp_t,$1_vmware_tmp_t)
 	manage_sock_files_pattern($1_vmware_t,$1_vmware_tmp_t,$1_vmware_tmp_t)
 	files_tmp_filetrans($1_vmware_t, $1_vmware_tmp_t, { file dir })
-	allow $1_vmware_t $1_vmware_tmpfs_t:dir rw_dir_perms;
+	manage_files_pattern($1_vmware_t,$1_vmware_tmpfs_t,$1_vmware_tmpfs_t)
-	allow $1_vmware_t $1_vmware_tmpfs_t:file manage_file_perms;
+	manage_lnk_files_pattern($1_vmware_t,$1_vmware_tmpfs_t,$1_vmware_tmpfs_t)
-	allow $1_vmware_t $1_vmware_tmpfs_t:lnk_file create_lnk_perms;
+	manage_fifo_files_pattern($1_vmware_t,$1_vmware_tmpfs_t,$1_vmware_tmpfs_t)
-	allow $1_vmware_t $1_vmware_tmpfs_t:sock_file manage_file_perms;
+	manage_sock_files_pattern($1_vmware_t,$1_vmware_tmpfs_t,$1_vmware_tmpfs_t)
 	allow $1_vmware_t $1_vmware_tmpfs_t:fifo_file manage_file_perms;
 	fs_tmpfs_filetrans($1_vmware_t,$1_vmware_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
 	# Read clobal configuration files
-	allow $1_vmware_t vmware_sys_conf_t:dir r_dir_perms;
+	allow $1_vmware_t vmware_sys_conf_t:dir list_dir_perms;
-	allow $1_vmware_t vmware_sys_conf_t:file r_file_perms;
+	read_files_pattern($1_vmware_t,vmware_sys_conf_t,vmware_sys_conf_t)
-	allow $1_vmware_t vmware_sys_conf_t:lnk_file { getattr read };
+	read_lnk_files_pattern($1_vmware_t,vmware_sys_conf_t,vmware_sys_conf_t)
-	allow $1_vmware_t $1_vmware_var_run_t:file manage_file_perms;
+	manage_dirs_pattern($1_vmware_t,$1_vmware_var_run_t,$1_vmware_var_run_t)
-	allow $1_vmware_t $1_vmware_var_run_t:sock_file manage_file_perms;
+	manage_files_pattern($1_vmware_t,$1_vmware_var_run_t,$1_vmware_var_run_t)
-	allow $1_vmware_t $1_vmware_var_run_t:lnk_file create_lnk_perms;
+	manage_lnk_files_pattern($1_vmware_t,$1_vmware_var_run_t,$1_vmware_var_run_t)
-	allow $1_vmware_t $1_vmware_var_run_t:dir manage_dir_perms;
+	manage_sock_files_pattern($1_vmware_t,$1_vmware_var_run_t,$1_vmware_var_run_t)
 	files_pid_filetrans($1_vmware_t,$1_vmware_var_run_t,{ dir file lnk_file })
 	domtrans_pattern($2, vmware_exec_t, $1_vmware_t)
 	kernel_read_system_state($1_vmware_t)
 	kernel_read_network_state($1_vmware_t)
 	kernel_read_kernel_sysctls($1_vmware_t)
--- a/policy/modules/apps/vmware.te
+++ b/policy/modules/apps/vmware.te
@ -30,17 +30,15 @@ files_pid_file(vmware_var_run_t)
 allow vmware_host_t self:capability { setuid net_raw };
 dontaudit vmware_host_t self:capability sys_tty_config;
 allow vmware_host_t self:process signal_perms;
-allow vmware_host_t self:fifo_file rw_file_perms;
+allow vmware_host_t self:fifo_file rw_fifo_file_perms;
 allow vmware_host_t self:unix_stream_socket create_stream_socket_perms;
 allow vmware_host_t self:rawip_socket create_socket_perms;
 # cjp: the ro and rw files should be split up
-allow vmware_host_t vmware_sys_conf_t:dir rw_dir_perms;
+manage_files_pattern(vmware_host_t,vmware_sys_conf_t,vmware_sys_conf_t)
 allow vmware_host_t vmware_sys_conf_t:file manage_file_perms;
-allow vmware_host_t vmware_var_run_t:file manage_file_perms;
+manage_files_pattern(vmware_host_t,vmware_var_run_t,vmware_var_run_t)
-allow vmware_host_t vmware_var_run_t:sock_file manage_file_perms;
+manage_sock_files_pattern(vmware_host_t,vmware_var_run_t,vmware_var_run_t)
 allow vmware_host_t vmware_var_run_t:dir rw_dir_perms;
 files_pid_filetrans(vmware_host_t,vmware_var_run_t,{ file sock_file })
 kernel_read_kernel_sysctls(vmware_host_t)
--- a/policy/modules/apps/webalizer.if
+++ b/policy/modules/apps/webalizer.if
@ -15,12 +15,7 @@ interface(`webalizer_domtrans',`
 		type webalizer_t, webalizer_exec_t;
 	')
-	domain_auto_trans($1,webalizer_exec_t,webalizer_t)
+	domtrans_pattern($1,webalizer_exec_t,webalizer_t)
 	allow $1 webalizer_t:fd use;
 	allow webalizer_t $1:fd use;
 	allow webalizer_t $1:fifo_file rw_file_perms;
 	allow webalizer_t $1:process sigchld;
 ')
 ########################################
--- a/policy/modules/apps/webalizer.te
+++ b/policy/modules/apps/webalizer.te
@ -5,6 +5,7 @@ policy_module(webalizer,1.3.0)
 #
 # Declarations
 #
 type webalizer_t;
 type webalizer_exec_t;
 domain_type(webalizer_t)
@ -30,11 +31,12 @@ files_type(webalizer_write_t)
 #
 # Local policy
 #
 allow webalizer_t self:capability dac_override;
 allow webalizer_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow webalizer_t self:fd use;
-allow webalizer_t self:fifo_file rw_file_perms;
+allow webalizer_t self:fifo_file rw_fifo_file_perms;
-allow webalizer_t self:sock_file r_file_perms;
+allow webalizer_t self:sock_file read_sock_file_perms;
 allow webalizer_t self:shm create_shm_perms;
 allow webalizer_t self:sem create_sem_perms;
 allow webalizer_t self:msgq create_msgq_perms;
@ -49,12 +51,11 @@ allow webalizer_t self:netlink_route_socket r_netlink_socket_perms;
 allow webalizer_t webalizer_etc_t:file { getattr read };
-allow webalizer_t webalizer_tmp_t:dir create_dir_perms;
+manage_dirs_pattern(webalizer_t,webalizer_tmp_t,webalizer_tmp_t)
-allow webalizer_t webalizer_tmp_t:file create_file_perms;
+manage_files_pattern(webalizer_t,webalizer_tmp_t,webalizer_tmp_t)
 files_tmp_filetrans(webalizer_t, webalizer_tmp_t, { file dir })
-allow webalizer_t webalizer_var_lib_t:file create_file_perms;
+manage_files_pattern(webalizer_t,webalizer_var_lib_t,webalizer_var_lib_t)
 allow webalizer_t webalizer_var_lib_t:dir rw_dir_perms;
 files_var_lib_filetrans(webalizer_t,webalizer_var_lib_t,file)
 kernel_read_kernel_sysctls(webalizer_t)
@ -92,6 +93,10 @@ ifdef(`targeted_policy',`
 	term_use_unallocated_ttys(webalizer_t)
 ')
 optional_policy(`
 	cron_system_entry(webalizer_t,webalizer_exec_t)
 ')
 optional_policy(`
 	ftp_read_log(webalizer_t)
 ')
@ -103,7 +108,3 @@ optional_policy(`
 optional_policy(`
 	nscd_socket_use(webalizer_t)
 ')
 optional_policy(`
 	cron_system_entry(webalizer_t,webalizer_exec_t)
 ')
--- a/policy/modules/apps/wine.if
+++ b/policy/modules/apps/wine.if
@ -16,10 +16,5 @@ interface(`wine_domtrans',`
 	')
 	corecmd_search_bin($1)
-	domain_auto_trans($1, wine_exec_t, wine_t)
+	domtrans_pattern($1, wine_exec_t, wine_t)
 	allow $1 wine_t:fd use;
 	allow wine_t $1:fd use;
 	allow wine_t $1:fifo_file rw_file_perms;
 	allow wine_t $1:process sigchld;
 ')
--- a/policy/modules/apps/yam.if
+++ b/policy/modules/apps/yam.if
@ -16,12 +16,7 @@ interface(`yam_domtrans',`
 	')
 	corecmd_search_sbin($1)
-	domain_auto_trans($1,yam_exec_t,yam_t)
+	domtrans_pattern($1,yam_exec_t,yam_t)
 	allow $1 yam_t:fd use;
 	allow yam_t $1:fd use;
 	allow yam_t $1:fifo_file rw_file_perms;
 	allow yam_t $1:process sigchld;
 ')
 ########################################
@ -72,6 +67,6 @@ interface(`yam_read_content',`
 	')
 	allow $1 yam_content_t:dir list_dir_perms;
-	allow $1 yam_content_t:file read_file_perms;
+	read_files_pattern($1,yam_content_t,yam_content_t)
-	allow $1 yam_content_t:lnk_file { getattr read };
+	read_lnk_files_pattern($1,yam_content_t,yam_content_t)
 ')
--- a/policy/modules/apps/yam.te
+++ b/policy/modules/apps/yam.te
@ -29,7 +29,7 @@ allow yam_t self:capability { chown fowner fsetid dac_override };
 allow yam_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow yam_t self:process execmem;
 allow yam_t self:fd use;
-allow yam_t self:fifo_file rw_file_perms;
+allow yam_t self:fifo_file rw_fifo_file_perms;
 allow yam_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow yam_t self:unix_dgram_socket { create_socket_perms sendto };
 allow yam_t self:shm create_shm_perms;
@ -39,15 +39,15 @@ allow yam_t self:msg { send receive };
 allow yam_t self:tcp_socket create_socket_perms;
 # Update the content being managed by yam.
-allow yam_t yam_content_t:dir create_dir_perms;
+manage_dirs_pattern(yam_t,yam_content_t,yam_content_t)
-allow yam_t yam_content_t:file create_file_perms;
+manage_files_pattern(yam_t,yam_content_t,yam_content_t)
-allow yam_t yam_content_t:lnk_file create_lnk_perms;
+manage_lnk_files_pattern(yam_t,yam_content_t,yam_content_t)
 allow yam_t yam_etc_t:file { getattr read };
 files_search_etc(yam_t)
-allow yam_t yam_tmp_t:dir create_dir_perms;
+manage_files_pattern(yam_t,yam_tmp_t,yam_tmp_t)
-allow yam_t yam_tmp_t:file create_file_perms;
+manage_dirs_pattern(yam_t,yam_tmp_t,yam_tmp_t)
 files_tmp_filetrans(yam_t, yam_tmp_t, { file dir })
 kernel_read_kernel_sysctls(yam_t)
--- a/policy/modules/kernel/corecommands.if
+++ b/policy/modules/kernel/corecommands.if
@ -133,7 +133,7 @@ interface(`corecmd_search_bin',`
 		type bin_t;
 	')
-	allow $1 bin_t:dir search_dir_perms;
+	search_dirs_pattern($1,bin_t,bin_t)
 ')
 ########################################
@ -151,7 +151,7 @@ interface(`corecmd_list_bin',`
 		type bin_t;
 	')
-	allow $1 bin_t:dir list_dir_perms;
+	list_dirs_pattern($1,bin_t,bin_t)
 ')
 ########################################
@ -169,7 +169,7 @@ interface(`corecmd_getattr_bin_files',`
 		type bin_t;
 	')
-	allow $1 bin_t:file getattr;
+	getattr_files_pattern($1,bin_t,bin_t)
 ')
 ########################################
@ -187,8 +187,7 @@ interface(`corecmd_read_bin_files',`
 		type bin_t;
 	')
-	allow $1 bin_t:dir search_dir_perms;
+	read_files_pattern($1,bin_t,bin_t)
 	allow $1 bin_t:file read_file_perms;
 ')
 ########################################
@ -206,8 +205,7 @@ interface(`corecmd_read_bin_symlinks',`
 		type bin_t;
 	')
-	allow $1 bin_t:dir search_dir_perms;
+	read_lnk_files_pattern($1,bin_t,bin_t)
 	allow $1 bin_t:lnk_file read_file_perms;
 ')
 ########################################
@ -225,8 +223,7 @@ interface(`corecmd_read_bin_pipes',`
 		type bin_t;
 	')
-	allow $1 bin_t:dir search_dir_perms;
+	read_fifo_files_pattern($1,bin_t,bin_t)
 	allow $1 bin_t:fifo_file read_file_perms;
 ')
 ########################################
@ -244,8 +241,7 @@ interface(`corecmd_read_bin_sockets',`
 		type bin_t;
 	')
-	allow $1 bin_t:dir search_dir_perms;
+	read_sock_files_pattern($1,bin_t,bin_t)
 	allow $1 bin_t:sock_file read_file_perms;
 ')
 ########################################
@ -264,10 +260,9 @@ interface(`corecmd_exec_bin',`
 		type bin_t;
 	')
-	allow $1 bin_t:dir list_dir_perms;
+	read_lnk_files_pattern($1,bin_t,bin_t)
-	allow $1 bin_t:lnk_file read_file_perms;
+	list_dirs_pattern($1,bin_t,bin_t)
 	can_exec($1,bin_t)
 ')
 ########################################
@ -285,8 +280,7 @@ interface(`corecmd_manage_bin_files',`
 		type bin_t;
 	')
-	allow $1 bin_t:dir rw_dir_perms;
+	manage_files_pattern($1,bin_t,bin_t)
 	allow $1 bin_t:file manage_file_perms;
 ')
 ########################################
@ -304,8 +298,7 @@ interface(`corecmd_relabel_bin_files',`
 		type bin_t;
 	')
-	allow $1 bin_t:dir search_dir_perms;
+	relabel_files_pattern($1,bin_t,bin_t)
 	allow $1 bin_t:file { relabelfrom relabelto };
 ')
 ########################################
@ -368,10 +361,8 @@ interface(`corecmd_bin_spec_domtrans',`
 		type bin_t;
 	')
-	allow $1 bin_t:dir search_dir_perms;
+	read_lnk_files_pattern($1,bin_t,bin_t)
-	allow $1 bin_t:lnk_file { getattr read };
+	domain_transition_pattern($1,bin_t,$2)
 	domain_trans($1,bin_t,$2)
 ')
 ########################################
@ -469,7 +460,7 @@ interface(`corecmd_list_sbin',`
 		type sbin_t;
 	')
-	allow $1 sbin_t:dir list_dir_perms;
+	list_dirs_pattern($1,sbin_t,sbin_t)
 ')
 ########################################
@ -487,7 +478,7 @@ interface(`corecmd_getattr_sbin_files',`
 		type sbin_t;
 	')
-	allow $1 sbin_t:file getattr;
+	getattr_files_pattern($1,sbin_t,sbin_t)
 ')
 ########################################
@ -524,8 +515,7 @@ interface(`corecmd_read_sbin_files',`
 		type sbin_t;
 	')
-	allow $1 sbin_t:dir search_dir_perms;
+	read_files_pattern($1,sbin_t,sbin_t)
 	allow $1 sbin_t:file read_file_perms;
 ')
 ########################################
@ -543,8 +533,7 @@ interface(`corecmd_read_sbin_symlinks',`
 		type sbin_t;
 	')
-	allow $1 sbin_t:dir search_dir_perms;
+	read_lnk_files_pattern($1,sbin_t,sbin_t)
 	allow $1 sbin_t:lnk_file read_file_perms;
 ')
 ########################################
@ -562,8 +551,7 @@ interface(`corecmd_read_sbin_pipes',`
 		type sbin_t;
 	')
-	allow $1 sbin_t:dir search_dir_perms;
+	read_fifo_files_pattern($1,sbin_t,sbin_t)
 	allow $1 sbin_t:fifo_file read_file_perms;
 ')
 ########################################
@ -581,8 +569,7 @@ interface(`corecmd_read_sbin_sockets',`
 		type sbin_t;
 	')
-	allow $1 sbin_t:dir search_dir_perms;
+	read_sock_files_pattern($1,sbin_t,sbin_t)
 	allow $1 sbin_t:sock_file read_file_perms;
 ')
 ########################################
@ -601,8 +588,8 @@ interface(`corecmd_exec_sbin',`
 		type sbin_t;
 	')
-	allow $1 sbin_t:dir list_dir_perms;
+	list_dirs_pattern($1,sbin_t,sbin_t)
-	allow $1 sbin_t:lnk_file read_file_perms;
+	read_lnk_files_pattern($1,sbin_t,sbin_t)
 	can_exec($1,sbin_t)
 ')
@ -622,8 +609,7 @@ interface(`corecmd_manage_sbin_files',`
 		type sbin_t;
 	')
-	allow $1 sbin_t:dir rw_dir_perms;
+	manage_files_pattern($1,sbin_t,sbin_t)
 	allow $1 sbin_t:file manage_file_perms;
 ')
 ########################################
@ -642,8 +628,7 @@ interface(`corecmd_relabel_sbin_files',`
 		type sbin_t;
 	')
-	allow $1 sbin_t:dir search_dir_perms;
+	relabel_files_pattern($1,sbin_t,sbin_t)
 	allow $1 sbin_t:file { relabelfrom relabelto };
 ')
 ########################################
@ -705,10 +690,8 @@ interface(`corecmd_sbin_domtrans',`
 		type sbin_t;
 	')
-	allow $1 sbin_t:dir search_dir_perms;
+	read_lnk_files_pattern($1,sbin_t,sbin_t)
-	allow $1 sbin_t:lnk_file { getattr read };
+	domain_auto_transition_pattern($1,sbin_t,$2)
 	domain_auto_trans($1,sbin_t,$2)
 ')
 ########################################
@ -752,10 +735,8 @@ interface(`corecmd_sbin_spec_domtrans',`
 		type sbin_t;
 	')
-	allow $1 sbin_t:dir search_dir_perms;
+	read_lnk_files_pattern($1,sbin_t,sbin_t)
-	allow $1 sbin_t:lnk_file { getattr read };
+	domain_transition_pattern($1,sbin_t,$2)
 	domain_trans($1,sbin_t,$2)
 ')
 ########################################
@ -773,8 +754,8 @@ interface(`corecmd_check_exec_shell',`
 		type bin_t, shell_exec_t;
 	')
-	allow $1 bin_t:dir list_dir_perms;
+	list_dirs_pattern($1,bin_t,bin_t)
-	allow $1 bin_t:lnk_file read_file_perms;
+	read_lnk_files_pattern($1,bin_t,bin_t)
 	allow $1 shell_exec_t:file execute;
 ')
@ -793,8 +774,8 @@ interface(`corecmd_exec_shell',`
 		type bin_t, shell_exec_t;
 	')
-	allow $1 bin_t:dir list_dir_perms;
+	list_dirs_pattern($1,bin_t,bin_t)
-	allow $1 bin_t:lnk_file read_file_perms;
+	read_lnk_files_pattern($1,bin_t,bin_t)
 	can_exec($1,shell_exec_t)
 ')
@ -813,8 +794,8 @@ interface(`corecmd_exec_ls',`
 		type bin_t, ls_exec_t;
 	')
-	allow $1 bin_t:dir list_dir_perms;
+	list_dirs_pattern($1,bin_t,bin_t)
-	allow $1 bin_t:lnk_file read_file_perms;
+	read_lnk_files_pattern($1,bin_t,bin_t)
 	can_exec($1,ls_exec_t)
 ')
@ -852,10 +833,9 @@ interface(`corecmd_shell_spec_domtrans',`
 		type bin_t, shell_exec_t;
 	')
-	allow $1 bin_t:dir list_dir_perms;
+	list_dirs_pattern($1,bin_t,bin_t)
-	allow $1 bin_t:lnk_file read_file_perms;
+	read_lnk_files_pattern($1,bin_t,bin_t)
-
+	domain_transition_pattern($1,shell_exec_t,$2)
 	domain_trans($1,shell_exec_t,$2)
 ')
 ########################################
@ -907,6 +887,7 @@ interface(`corecmd_exec_chroot',`
 		type chroot_exec_t;
 	')
 	read_lnk_files_pattern($1,bin_t,bin_t)
 	can_exec($1,chroot_exec_t)
 	allow $1 self:capability sys_chroot;
 ')
@ -929,8 +910,8 @@ interface(`corecmd_exec_all_executables',`
 	')
 	can_exec($1,exec_type)
-	allow $1 { bin_t sbin_t }:dir list_dir_perms;
+	list_dirs_pattern($1,{ bin_t sbin_t },{ bin_t sbin_t })
-	allow $1 { bin_t sbin_t }:lnk_file read_file_perms;
+	read_lnk_files_pattern($1,{ bin_t sbin_t },{ bin_t sbin_t })
 ')
 ########################################
@ -950,9 +931,8 @@ interface(`corecmd_manage_all_executables',`
 		type bin_t, sbin_t;
 	')
-	allow $1 exec_type:file manage_file_perms;
+	manage_files_pattern($1,{ bin_t sbin_t },exec_type)
-	allow $1 { bin_t sbin_t }:dir rw_dir_perms;
+	manage_lnk_files_pattern($1,{ bin_t sbin_t },{ bin_t sbin_t })
 	allow $1 { bin_t sbin_t }:lnk_file create_lnk_perms;
 ')
 ########################################
@ -971,7 +951,7 @@ interface(`corecmd_relabel_all_executables',`
 		attribute exec_type;
 	')
-	allow $1 exec_type:file { relabelfrom relabelto };
+	allow $1 exec_type:file relabel_file_perms;
 ')
 ########################################
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
--- a/policy/modules/kernel/domain.if
+++ b/policy/modules/kernel/domain.if
@ -562,9 +562,9 @@ interface(`domain_read_all_domains_state',`
 	')
 	kernel_search_proc($1)
-	allow $1 domain:dir r_dir_perms;
+	allow $1 domain:dir list_dir_perms;
-	allow $1 domain:lnk_file r_file_perms;
+	read_files_pattern($1,domain,domain)
-	allow $1 domain:file r_file_perms;
+	read_lnk_files_pattern($1,domain,domain)
 ')
 ########################################
@ -621,11 +621,11 @@ interface(`domain_read_confined_domains_state',`
 	')
 	kernel_search_proc($1)
-	allow $1 { domain -unconfined_domain_type }:dir r_dir_perms;
+	allow $1 { domain -unconfined_domain_type }:dir list_dir_perms;
-	allow $1 { domain -unconfined_domain_type }:lnk_file r_file_perms;
+	read_files_pattern($1,{ domain -unconfined_domain_type },{ domain -unconfined_domain_type })
-	allow $1 { domain -unconfined_domain_type }:file r_file_perms;
+	read_lnk_files_pattern($1,{ domain -unconfined_domain_type },{ domain -unconfined_domain_type })
-	dontaudit $1 unconfined_domain_type:dir search;
+	dontaudit $1 unconfined_domain_type:dir search_dir_perms;
 	dontaudit $1 unconfined_domain_type:file { getattr read };
 ')
@ -740,13 +740,13 @@ interface(`domain_dontaudit_read_all_domains_state',`
 		attribute domain;
 	')
-	dontaudit $1 domain:dir r_dir_perms;
+	dontaudit $1 domain:dir list_dir_perms;
-	dontaudit $1 domain:lnk_file r_file_perms;
+	dontaudit $1 domain:lnk_file read_file_perms;
-	dontaudit $1 domain:file r_file_perms;
+	dontaudit $1 domain:file read_file_perms;
 	# cjp: these should be removed:
-	dontaudit $1 domain:sock_file r_file_perms;
+	dontaudit $1 domain:sock_file read_file_perms;
-	dontaudit $1 domain:fifo_file r_file_perms;
+	dontaudit $1 domain:fifo_file read_file_perms;
 ')
 ########################################
@ -765,7 +765,7 @@ interface(`domain_dontaudit_list_all_domains_state',`
 		attribute domain;
 	')
-	dontaudit $1 domain:dir r_dir_perms;
+	dontaudit $1 domain:dir list_dir_perms;
 ')
 ########################################
@ -1069,8 +1069,8 @@ interface(`domain_getattr_all_entry_files',`
 		attribute entry_type;
 	')
-	allow $1 entry_type:lnk_file getattr;
+	allow $1 entry_type:lnk_file read_lnk_file_perms;
-	allow $1 entry_type:file r_file_perms;
+	allow $1 entry_type:file getattr;
 ')
 ########################################
@ -1088,8 +1088,8 @@ interface(`domain_read_all_entry_files',`
 		attribute entry_type;
 	')
-	allow $1 entry_type:lnk_file r_file_perms;
+	allow $1 entry_type:lnk_file read_lnk_file_perms;
-	allow $1 entry_type:file r_file_perms;
+	allow $1 entry_type:file read_file_perms;
 ')
 ########################################
@ -1149,7 +1149,7 @@ interface(`domain_relabel_all_entry_files',`
 		attribute entry_type;
 	')
-	allow $1 entry_type:file { relabelfrom relabelto };
+	allow $1 entry_type:file relabel_file_perms;
 ')
 ########################################
@ -1168,7 +1168,7 @@ interface(`domain_mmap_all_entry_files',`
 		attribute entry_type;
 	')
-	allow $1 entry_type:file { getattr read execute };
+	allow $1 entry_type:file mmap_file_perms;
 ')
 ########################################
@ -1187,7 +1187,7 @@ interface(`domain_entry_file_spec_domtrans',`
 		attribute entry_type;
 	')
-	domain_trans($1,entry_type,$2)
+	domain_transition_pattern($1,entry_type,$2)
 ')
 ########################################
@ -1217,62 +1217,3 @@ interface(`domain_unconfined',`
 	typeattribute $1 can_change_object_identity;
 	typeattribute $1 set_curr_context;
 ')
 #
 # These next macros are not templates, but actually are 
 # support macros.  Due to the domain_ prefix, they 
 # are placed in this module, to try to prevent confusion.
 # They are called templates since regular m4 defines
 # wont work here.
 #
 ########################################
 ## <summary>
 ##	Specified domain transition requiring setexeccon.
 ## </summary>
 ## <param name="source_domain">
 ##	<summary>
 ##	Domain to transition from.
 ##	</summary>
 ## </param>
 ## <param name="entry_file">
 ##	<summary>
 ##	Type of program to execute.
 ##	</summary>
 ## </param>
 ## <param name="target_domain">
 ##	<summary>
 ##	Domain to transition to.
 ##	</summary>
 ## </param>
 #
 template(`domain_trans',`
 	allow $1 $2:file { getattr read execute };
 	allow $1 $3:process transition;
 	dontaudit $1 $3:process { noatsecure siginh rlimitinh };
 ')
 ########################################
 ## <summary>
 ##	Automatic domain transition by type_transition.
 ## </summary>
 ## <param name="source_domain">
 ##	<summary>
 ##	Domain to transition from.
 ##	</summary>
 ## </param>
 ## <param name="entry_file">
 ##	<summary>
 ##	Type of program to execute.
 ##	</summary>
 ## </param>
 ## <param name="target_domain">
 ##	<summary>
 ##	Domain to transition to.
 ##	</summary>
 ## </param>
 #
 template(`domain_auto_trans',`
 	domain_trans($1,$2,$3)
 	type_transition $1 $2:process $3;
 ')
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@ -360,7 +360,7 @@ interface(`fs_search_auto_mountpoints',`
 		type autofs_t;
 	')
-	allow $1 autofs_t:dir { getattr search };
+	allow $1 autofs_t:dir search_dir_perms;
 ')
 ########################################
@ -380,7 +380,7 @@ interface(`fs_list_auto_mountpoints',`
 		type autofs_t;
 	')
-	allow $1 autofs_t:dir r_dir_perms;
+	allow $1 autofs_t:dir list_dir_perms;
 ')
 ########################################
@ -399,7 +399,7 @@ interface(`fs_dontaudit_list_auto_mountpoints',`
 		type autofs_t;
 	')
-	dontaudit $1 autofs_t:dir r_dir_perms;
+	dontaudit $1 autofs_t:dir list_dir_perms;
 ')
 ########################################
@ -418,8 +418,7 @@ interface(`fs_manage_autofs_symlinks',`
 		type autofs_t;
 	')
-	allow $1 autofs_t:dir rw_dir_perms;
+	manage_lnk_files_pattern($1,autofs_t,autofs_t)
 	allow $1 autofs_t:lnk_file create_lnk_perms;
 ')
 ########################################
@ -474,8 +473,7 @@ interface(`fs_register_binary_executable_type',`
 		type binfmt_misc_fs_t;
 	')
-	allow $1 binfmt_misc_fs_t:dir { getattr search };
+	rw_files_pattern($1,binfmt_misc_fs_t,binfmt_misc_fs_t)
 	allow $1 binfmt_misc_fs_t:file { getattr ioctl write read };
 ')
 ########################################
@ -568,7 +566,7 @@ interface(`fs_search_cifs',`
 		type cifs_t;
 	')
-	allow $1 cifs_t:dir search;
+	allow $1 cifs_t:dir search_dir_perms;
 ')
 ########################################
@ -587,7 +585,7 @@ interface(`fs_list_cifs',`
 		type cifs_t;
 	')
-	allow $1 cifs_t:dir r_dir_perms;
+	allow $1 cifs_t:dir list_dir_perms;
 ')
 ########################################
@ -606,7 +604,7 @@ interface(`fs_dontaudit_list_cifs',`
 		type cifs_t;
 	')
-	dontaudit $1 cifs_t:dir r_dir_perms;
+	dontaudit $1 cifs_t:dir list_dir_perms;
 ')
 ########################################
@ -625,8 +623,8 @@ interface(`fs_read_cifs_files',`
 		type cifs_t;
 	')
-	allow $1 cifs_t:dir r_dir_perms;
+	allow $1 cifs_t:dir list_dir_perms;
-	allow $1 cifs_t:file r_file_perms;
+	read_files_pattern($1,cifs_t,cifs_t)
 ')
 ########################################
@ -664,8 +662,7 @@ interface(`fs_list_noxattr_fs',`
 		attribute noxattrfs;
 	')
-	allow $1 noxattrfs:dir r_dir_perms;
+	allow $1 noxattrfs:dir list_dir_perms;
 ')
 ########################################
@ -701,9 +698,7 @@ interface(`fs_read_noxattr_fs_files',`
 		attribute noxattrfs;
 	')
-	allow $1 noxattrfs:dir search_dir_perms;
+	read_files_pattern($1,noxattrfs,noxattrfs)
 	allow $1 noxattrfs:file r_file_perms;
 ')
 ########################################
@ -721,8 +716,7 @@ interface(`fs_manage_noxattr_fs_files',`
 		attribute noxattrfs;
 	')
-	allow $1 noxattrfs:dir rw_dir_perms;
+	manage_files_pattern($1,noxattrfs,noxattrfs)
 	allow $1 noxattrfs:file manage_file_perms;
 ')
 ########################################
@ -740,8 +734,7 @@ interface(`fs_read_noxattr_fs_symlinks',`
 		attribute noxattrfs;
 	')
-	allow $1 noxattrfs:dir search_dir_perms;
+	read_lnk_files_pattern($1,noxattrfs,noxattrfs)
 	allow $1 noxattrfs:lnk_file r_file_perms;
 ')
 ########################################
@ -760,7 +753,7 @@ interface(`fs_dontaudit_read_cifs_files',`
 		type cifs_t;
 	')
-	dontaudit $1 cifs_t:file r_file_perms;
+	dontaudit $1 cifs_t:file read_file_perms;
 ')
 ########################################
@ -797,8 +790,8 @@ interface(`fs_read_cifs_symlinks',`
 		type cifs_t;
 	')
-	allow $1 cifs_t:dir r_dir_perms;
+	allow $1 cifs_t:dir list_dir_perms;
-	allow $1 cifs_t:lnk_file r_file_perms;
+	read_lnk_files_pattern($1,cifs_t,cifs_t)
 ')
 ########################################
@ -819,8 +812,8 @@ interface(`fs_exec_cifs_files',`
 		type cifs_t;
 	')
-	allow $1 cifs_t:dir r_dir_perms;
+	allow $1 cifs_t:dir list_dir_perms;
-	can_exec($1, cifs_t)
+	exec_files_pattern($1,cifs_t,cifs_t)
 ')
 ########################################
@ -840,7 +833,7 @@ interface(`fs_manage_cifs_dirs',`
 		type cifs_t;
 	')
-	allow $1 cifs_t:dir create_dir_perms;
+	allow $1 cifs_t:dir manage_dir_perms;
 ')
 ########################################
@ -860,7 +853,7 @@ interface(`fs_dontaudit_manage_cifs_dirs',`
 		type cifs_t;
 	')
-	dontaudit $1 cifs_t:dir create_dir_perms;
+	dontaudit $1 cifs_t:dir manage_dir_perms;
 ')
 ########################################
@ -880,8 +873,7 @@ interface(`fs_manage_cifs_files',`
 		type cifs_t;
 	')
-	allow $1 cifs_t:dir rw_dir_perms;
+	manage_files_pattern($1,cifs_t,cifs_t)
 	allow $1 cifs_t:file create_file_perms;
 ')
 ########################################
@ -901,7 +893,7 @@ interface(`fs_dontaudit_manage_cifs_files',`
 		type cifs_t;
 	')
-	dontaudit $1 cifs_t:file create_file_perms;
+	dontaudit $1 cifs_t:file manage_file_perms;
 ')
 ########################################
@ -920,8 +912,7 @@ interface(`fs_manage_cifs_symlinks',`
 		type cifs_t;
 	')
-	allow $1 cifs_t:dir rw_dir_perms;
+	manage_lnk_files_pattern($1,cifs_t,cifs_t)
 	allow $1 cifs_t:lnk_file create_lnk_perms;
 ')
 ########################################
@ -940,8 +931,7 @@ interface(`fs_manage_cifs_named_pipes',`
 		type cifs_t;
 	')
-	allow $1 cifs_t:dir rw_dir_perms;
+	manage_fifo_files_pattern($1,cifs_t,cifs_t)
 	allow $1 cifs_t:fifo_file create_file_perms;
 ')
 ########################################
@ -960,8 +950,7 @@ interface(`fs_manage_cifs_named_sockets',`
 		type cifs_t;
 	')
-	allow $1 cifs_t:dir rw_file_perms;
+	manage_sock_files_pattern($1,cifs_t,cifs_t)
 	allow $1 cifs_t:sock_file create_file_perms;
 ')
 ########################################
@ -1004,9 +993,8 @@ interface(`fs_cifs_domtrans',`
 		type cifs_t;
 	')
-	allow $1 cifs_t:dir search;
+	allow $1 cifs_t:dir search_dir_perms;
-
+	domain_auto_transition_pattern($1,cifs_t,$2)
 	domain_auto_trans($1,cifs_t,$2)
 ')
 ########################################
@ -1122,8 +1110,7 @@ interface(`fs_manage_dos_files',`
 		type dosfs_t;
 	')
-	allow $1 dosfs_t:dir rw_dir_perms;
+	manage_files_pattern($1,dosfs_t,dosfs_t)
 	allow $1 dosfs_t:file manage_file_perms;
 ')
 ########################################
@ -1182,7 +1169,7 @@ interface(`fs_list_inotifyfs',`
 		type inotifyfs_t;
 	')
-	allow $1 inotifyfs_t:dir r_dir_perms;
+	allow $1 inotifyfs_t:dir list_dir_perms;
 ')
 ########################################
@ -1280,8 +1267,8 @@ interface(`fs_read_iso9660_files',`
 	')
 	allow $1 iso9660_t:dir list_dir_perms;
-	allow $1 iso9660_t:file read_file_perms;
+	read_files_pattern($1,iso9660_t,iso9660_t)
-	allow $1 iso9660_t:lnk_file { getattr read };
+	read_lnk_files_pattern($1,iso9660_t,iso9660_t)
 ')
 ########################################
@ -1373,7 +1360,7 @@ interface(`fs_search_nfs',`
 		type nfs_t;
 	')
-	allow $1 nfs_t:dir search;
+	allow $1 nfs_t:dir search_dir_perms;
 ')
 ########################################
@ -1391,7 +1378,7 @@ interface(`fs_list_nfs',`
 		type nfs_t;
 	')
-	allow $1 nfs_t:dir r_dir_perms;
+	allow $1 nfs_t:dir list_dir_perms;
 ')
 ########################################
@ -1410,7 +1397,7 @@ interface(`fs_dontaudit_list_nfs',`
 		type nfs_t;
 	')
-	dontaudit $1 nfs_t:dir r_dir_perms;
+	dontaudit $1 nfs_t:dir list_dir_perms;
 ')
 ########################################
@ -1429,8 +1416,8 @@ interface(`fs_read_nfs_files',`
 		type nfs_t;
 	')
-	allow $1 nfs_t:dir r_dir_perms;
+	allow $1 nfs_t:dir list_dir_perms;
-	allow $1 nfs_t:file r_file_perms;
+	read_files_pattern($1,nfs_t,nfs_t)
 ')
 ########################################
@ -1449,7 +1436,7 @@ interface(`fs_dontaudit_read_nfs_files',`
 		type nfs_t;
 	')
-	dontaudit $1 nfs_t:file r_file_perms;
+	dontaudit $1 nfs_t:file read_file_perms;
 ')
 ########################################
@ -1467,8 +1454,8 @@ interface(`fs_write_nfs_files',`
 		type nfs_t;
 	')
-	allow $1 nfs_t:dir r_dir_perms;
+	allow $1 nfs_t:dir list_dir_perms;
-	allow $1 nfs_t:file write;
+	write_files_pattern($1,nfs_t,nfs_t)
 ')
 ########################################
@ -1487,8 +1474,8 @@ interface(`fs_exec_nfs_files',`
 		type nfs_t;
 	')
-	allow $1 nfs_t:dir r_dir_perms;
+	allow $1 nfs_t:dir list_dir_perms;
-	can_exec($1, nfs_t)
+	exec_files_pattern($1,nfs_t,nfs_t)
 ')
 ########################################
@ -1525,8 +1512,8 @@ interface(`fs_read_nfs_symlinks',`
 		type nfs_t;
 	')
-	allow $1 nfs_t:dir r_dir_perms;
+	allow $1 nfs_t:dir list_dir_perms;
-	allow $1 nfs_t:lnk_file r_file_perms;
+	read_lnk_files_pattern($1,nfs_t,nfs_t)
 ')
 ########################################
@ -1581,8 +1568,7 @@ interface(`fs_search_removable',`
 		type removable_t;
 	')
-	allow $1 removable_t:dir { getattr read search };
+	allow $1 removable_t:dir search_dir_perms;
 ')
 ########################################
@ -1599,7 +1585,8 @@ interface(`fs_dontaudit_list_removable',`
 	gen_require(`
 		type removable_t;
 	')
-	dontaudit $1 removable_t:dir r_dir_perms;
+
 	dontaudit $1 removable_t:dir list_dir_perms;
 ')
 ########################################
@ -1617,8 +1604,7 @@ interface(`fs_read_removable_files',`
 		type removable_t;
 	')
-	allow $1 removable_t:file { read getattr };
+	read_files_pattern($1,removable_t,removable_t)
 ')
 ########################################
@ -1635,7 +1621,8 @@ interface(`fs_dontaudit_read_removable_files',`
 	gen_require(`
 		type removable_t;
 	')
-	dontaudit $1 removable_t:file r_file_perms;
+
 	dontaudit $1 removable_t:file read_file_perms;
 ')
 ########################################
@ -1653,8 +1640,7 @@ interface(`fs_read_removable_symlinks',`
 		type removable_t;
 	')
-	allow $1 removable_t:lnk_file { getattr read };
+	read_lnk_files_pattern($1,removable_t,removable_t)
 ')
 ########################################
@ -1672,8 +1658,7 @@ interface(`fs_list_rpc',`
 		type rpc_pipefs_t;
 	')
-	allow $1 rpc_pipefs_t:dir { getattr read search };
+	allow $1 rpc_pipefs_t:dir list_dir_perms;
 ')
 ########################################
@ -1691,8 +1676,7 @@ interface(`fs_read_rpc_files',`
 		type rpc_pipefs_t;
 	')
-	allow $1 rpc_pipefs_t:file { read getattr };
+	read_files_pattern($1,rpc_pipefs_t,rpc_pipefs_t)
 ')
 ########################################
@ -1710,8 +1694,7 @@ interface(`fs_read_rpc_symlinks',`
 		type rpc_pipefs_t;
 	')
-	allow $1 rpc_pipefs_t:lnk_file { getattr read };
+	read_lnk_files_pattern($1,rpc_pipefs_t,rpc_pipefs_t)
 ')
 ########################################
@ -1750,7 +1733,7 @@ interface(`fs_manage_nfs_dirs',`
 		type nfs_t;
 	')
-	allow $1 nfs_t:dir create_dir_perms;
+	allow $1 nfs_t:dir manage_dir_perms;
 ')
 ########################################
@ -1770,7 +1753,7 @@ interface(`fs_dontaudit_manage_nfs_dirs',`
 		type nfs_t;
 	')
-	dontaudit $1 nfs_t:dir create_dir_perms;
+	dontaudit $1 nfs_t:dir manage_dir_perms;
 ')
 ########################################
@ -1790,8 +1773,7 @@ interface(`fs_manage_nfs_files',`
 		type nfs_t;
 	')
-	allow $1 nfs_t:dir rw_dir_perms;
+	manage_files_pattern($1,nfs_t,nfs_t)
 	allow $1 nfs_t:file create_file_perms;
 ')
 ########################################
@ -1811,7 +1793,7 @@ interface(`fs_dontaudit_manage_nfs_files',`
 		type nfs_t;
 	')
-	dontaudit $1 nfs_t:file create_file_perms;
+	dontaudit $1 nfs_t:file manage_file_perms;
 ')
 #########################################
@ -1831,8 +1813,7 @@ interface(`fs_manage_nfs_symlinks',`
 		type nfs_t;
 	')
-	allow $1 nfs_t:dir rw_dir_perms;
+	manage_lnk_files_pattern($1,nfs_t,nfs_t)
 	allow $1 nfs_t:lnk_file create_lnk_perms;
 ')
 #########################################
@ -1851,8 +1832,7 @@ interface(`fs_manage_nfs_named_pipes',`
 		type nfs_t;
 	')
-	allow $1 nfs_t:dir rw_dir_perms;
+	manage_fifo_files_pattern($1,nfs_t,nfs_t)
 	allow $1 nfs_t:fifo_file create_file_perms;
 ')
 #########################################
@ -1871,8 +1851,7 @@ interface(`fs_manage_nfs_named_sockets',`
 		type nfs_t;
 	')
-	allow $1 nfs_t:dir rw_dir_perms;
+	manage_sock_files_pattern($1,nfs_t,nfs_t)
 	allow $1 nfs_t:sock_file create_file_perms;
 ')
 ########################################
@ -1915,9 +1894,8 @@ interface(`fs_nfs_domtrans',`
 		type nfs_t;
 	')
-	allow $1 nfs_t:dir search;
+	allow $1 nfs_t:dir search_dir_perms;
-
+	domain_auto_transition_pattern($1,nfs_t,$2)
 	domain_auto_trans($1,nfs_t,$2)
 ')
 ########################################
@ -2009,7 +1987,7 @@ interface(`fs_search_nfsd_fs',`
 		type nfsd_fs_t;
 	')
-	allow $1 nfsd_fs_t:dir search;
+	allow $1 nfsd_fs_t:dir search_dir_perms;
 ')
 ########################################
@ -2027,7 +2005,7 @@ interface(`fs_rw_nfsd_fs',`
 		type nfsd_fs_t;
 	')
-	allow $1 nfsd_fs_t:file rw_file_perms;
+	rw_files_pattern($1,nfsd_fs_t,nfsd_fs_t)
 ')
 ########################################
@ -2136,7 +2114,7 @@ interface(`fs_dontaudit_search_ramfs',`
 		type ramfs_t;
 	')
-	dontaudit $1 ramfs_t:dir search;
+	dontaudit $1 ramfs_t:dir search_dir_perms;
 ')
 ########################################
@ -2210,8 +2188,7 @@ interface(`fs_manage_ramfs_files',`
 		type ramfs_t;
 	')
-	allow $1 ramfs_t:dir rw_dir_perms;
+	manage_files_pattern($1,ramfs_t,ramfs_t)
 	allow $1 ramfs_t:file manage_file_perms;
 ')
 ########################################
@ -2229,8 +2206,7 @@ interface(`fs_write_ramfs_pipes',`
 		type ramfs_t;
 	')
-	allow $1 ramfs_t:dir search_dir_perms;
+	write_fifo_files_pattern($1,ramfs_t,ramfs_t)
 	allow $1 ramfs_t:fifo_file write;
 ')
 ########################################
@ -2267,8 +2243,7 @@ interface(`fs_rw_ramfs_pipes',`
 		type ramfs_t;
 	')
-	allow $1 ramfs_t:dir search_dir_perms;
+	rw_fifo_files_pattern($1,ramfs_t,ramfs_t)
 	allow $1 ramfs_t:fifo_file rw_file_perms;
 ')
 ########################################
@ -2287,8 +2262,7 @@ interface(`fs_manage_ramfs_pipes',`
 		type ramfs_t;
 	')
-	allow $1 ramfs_t:dir rw_dir_perms;
+	manage_fifo_files_pattern($1,ramfs_t,ramfs_t)
 	allow $1 ramfs_t:fifo_file manage_file_perms;
 ')
 ########################################
@ -2306,7 +2280,7 @@ interface(`fs_write_ramfs_sockets',`
 		type ramfs_t;
 	')
-	allow $1 ramfs_t:sock_file write;
+	write_sock_files_pattern($1,ramfs_t,ramfs_t)
 ')
 ########################################
@ -2325,8 +2299,7 @@ interface(`fs_manage_ramfs_sockets',`
 		type ramfs_t;
 	')
-	allow $1 ramfs_t:dir rw_dir_perms;
+	manage_sock_files_pattern($1,ramfs_t,ramfs_t)
 	allow $1 ramfs_t:sock_file manage_file_perms;
 ')
 ########################################
@ -2657,7 +2630,7 @@ interface(`fs_search_tmpfs',`
 		type tmpfs_t;
 	')
-	allow $1 tmpfs_t:dir search;
+	allow $1 tmpfs_t:dir search_dir_perms;
 ')
 ########################################
@ -2675,7 +2648,7 @@ interface(`fs_list_tmpfs',`
 		type tmpfs_t;
 	')
-	allow $1 tmpfs_t:dir r_dir_perms;
+	allow $1 tmpfs_t:dir list_dir_perms;
 ')
 ########################################
@ -2694,7 +2667,7 @@ interface(`fs_dontaudit_list_tmpfs',`
 		type tmpfs_t;
 	')
-	dontaudit $1 tmpfs_t:dir r_dir_perms;
+	dontaudit $1 tmpfs_t:dir list_dir_perms;
 ')
 ########################################
@ -2713,7 +2686,7 @@ interface(`fs_manage_tmpfs_dirs',`
 		type tmpfs_t;
 	')
-	allow $1 tmpfs_t:dir create_dir_perms;
+	allow $1 tmpfs_t:dir manage_dir_perms;
 ')
 ########################################
@ -2743,8 +2716,7 @@ interface(`fs_tmpfs_filetrans',`
 	')
 	allow $2 tmpfs_t:filesystem associate;
-	allow $1 tmpfs_t:dir rw_dir_perms;
+	filetrans_pattern($1,tmpfs_t,$2,$3)
 	type_transition $1 tmpfs_t:$3 $2;
 ')
 ########################################
@ -2800,8 +2772,7 @@ interface(`fs_rw_tmpfs_files',`
 		type tmpfs_t;
 	')
-	fs_search_tmpfs($1)
+	rw_files_pattern($1,tmpfs_t,tmpfs_t)
 	allow $1 tmpfs_t:file rw_file_perms;
 ')
 ########################################
@ -2819,8 +2790,7 @@ interface(`fs_read_tmpfs_symlinks',`
 		type tmpfs_t;
 	')
-	fs_search_tmpfs($1)
+	read_lnk_files_pattern($1,tmpfs_t,tmpfs_t)
 	allow $1 tmpfs_t:lnk_file read;
 ')
 ########################################
@ -2838,8 +2808,8 @@ interface(`fs_rw_tmpfs_chr_files',`
 		type tmpfs_t;
 	')
-	allow $1 tmpfs_t:dir r_dir_perms;
+	allow $1 tmpfs_t:dir list_dir_perms;
-	allow $1 tmpfs_t:chr_file rw_file_perms;
+	rw_chr_files_pattern($1,tmpfs_t,tmpfs_t)
 ')
 ########################################
@ -2857,8 +2827,8 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
 		type tmpfs_t;
 	')
-	dontaudit $1 tmpfs_t:dir r_dir_perms;
+	dontaudit $1 tmpfs_t:dir list_dir_perms;
-	dontaudit $1 tmpfs_t:chr_file rw_file_perms;
+	dontaudit $1 tmpfs_t:chr_file rw_chr_file_perms;
 ')
 ########################################
@ -2876,8 +2846,8 @@ interface(`fs_relabel_tmpfs_chr_file',`
 		type tmpfs_t;
 	')
-	allow $1 tmpfs_t:dir r_dir_perms;
+	allow $1 tmpfs_t:dir list_dir_perms;
-	allow $1 tmpfs_t:chr_file { getattr relabelfrom relabelto };
+	relabel_chr_files_pattern($1,tmpfs_t,tmpfs_t)
 ')
 ########################################
@ -2895,8 +2865,8 @@ interface(`fs_rw_tmpfs_blk_files',`
 		type tmpfs_t;
 	')
-	allow $1 tmpfs_t:dir r_dir_perms;
+	allow $1 tmpfs_t:dir list_dir_perms;
-	allow $1 tmpfs_t:blk_file rw_file_perms;
+	rw_blk_files_pattern($1,tmpfs_t,tmpfs_t)
 ')
 ########################################
@ -2914,8 +2884,8 @@ interface(`fs_relabel_tmpfs_blk_file',`
 		type tmpfs_t;
 	')
-	allow $1 tmpfs_t:dir r_dir_perms;
+	allow $1 tmpfs_t:dir list_dir_perms;
-	allow $1 tmpfs_t:blk_file { getattr relabelfrom relabelto };
+	relabel_blk_files_pattern($1,tmpfs_t,tmpfs_t)
 ')
 ########################################
@ -2934,8 +2904,7 @@ interface(`fs_manage_tmpfs_files',`
 		type tmpfs_t;
 	')
-	allow $1 tmpfs_t:dir rw_dir_perms;
+	manage_files_pattern($1,tmpfs_t,tmpfs_t)
 	allow $1 tmpfs_t:file create_file_perms;
 ')
 ########################################
@ -2954,8 +2923,7 @@ interface(`fs_manage_tmpfs_symlinks',`
 		type tmpfs_t;
 	')
-	allow $1 tmpfs_t:dir rw_dir_perms;
+	manage_lnk_files_pattern($1,tmpfs_t,tmpfs_t)
 	allow $1 tmpfs_t:lnk_file create_lnk_perms;
 ')
 ########################################
@ -2974,8 +2942,7 @@ interface(`fs_manage_tmpfs_sockets',`
 		type tmpfs_t;
 	')
-	allow $1 tmpfs_t:dir rw_dir_perms;
+	manage_sock_files_pattern($1,tmpfs_t,tmpfs_t)
 	allow $1 tmpfs_t:sock_file create_file_perms;
 ')
 ########################################
@ -2994,8 +2961,7 @@ interface(`fs_manage_tmpfs_chr_files',`
 		type tmpfs_t;
 	')
-	allow $1 tmpfs_t:dir rw_dir_perms;
+	manage_chr_files_pattern($1,tmpfs_t,tmpfs_t)
 	allow $1 tmpfs_t:chr_file create_file_perms;
 ')
 ########################################
@ -3014,8 +2980,7 @@ interface(`fs_manage_tmpfs_blk_files',`
 		type tmpfs_t;
 	')
-	allow $1 tmpfs_t:dir rw_dir_perms;
+	manage_blk_files_pattern($1,tmpfs_t,tmpfs_t)
 	allow $1 tmpfs_t:blk_file create_file_perms;
 ')
 ########################################
@ -3220,7 +3185,7 @@ interface(`fs_list_all',`
 		attribute filesystem_type;
 	')
-	allow $1 filesystem_type:dir r_dir_perms;
+	allow $1 filesystem_type:dir list_dir_perms;
 ')
 ########################################
@ -3239,8 +3204,7 @@ interface(`fs_getattr_all_files',`
 		attribute filesystem_type;
 	')
-	allow $1 filesystem_type:dir { search getattr };
+	getattr_files_pattern($1,filesystem_type,filesystem_type)
 	allow $1 filesystem_type:file getattr;
 ')
 ########################################
@ -3259,8 +3223,7 @@ interface(`fs_getattr_all_symlinks',`
 		attribute filesystem_type;
 	')
-	allow $1 filesystem_type:dir { search getattr };
+	getattr_lnk_files_pattern($1,filesystem_type,filesystem_type)
 	allow $1 filesystem_type:lnk_file getattr;
 ')
 ########################################
@ -3279,8 +3242,7 @@ interface(`fs_getattr_all_pipes',`
 		attribute filesystem_type;
 	')
-	allow $1 filesystem_type:dir { search getattr };
+	getattr_fifo_files_pattern($1,filesystem_type,filesystem_type)
 	allow $1 filesystem_type:fifo_file getattr;
 ')
 ########################################
@ -3299,8 +3261,7 @@ interface(`fs_getattr_all_sockets',`
 		attribute filesystem_type;
 	')
-	allow $1 filesystem_type:dir { search getattr };
+	getattr_sock_files_pattern($1,filesystem_type,filesystem_type)
 	allow $1 filesystem_type:sock_file getattr;
 ')
 ########################################
@ -3413,11 +3374,12 @@ interface(`fs_relabelfrom_noxattr_fs',`
 		attribute noxattrfs;
 	')
-	allow $1 noxattrfs:dir { list_dir_perms relabelfrom };
+	allow $1 noxattrfs:dir list_dir_perms;
-	allow $1 noxattrfs:file { getattr relabelfrom };
+	relabelfrom_dirs_pattern($1,noxattrfs,noxattrfs)
-	allow $1 noxattrfs:lnk_file { getattr relabelfrom };
+	relabelfrom_files_pattern($1,noxattrfs,noxattrfs)
-	allow $1 noxattrfs:fifo_file { getattr relabelfrom };
+	relabelfrom_lnk_files_pattern($1,noxattrfs,noxattrfs)
-	allow $1 noxattrfs:sock_file { getattr relabelfrom };
+	relabelfrom_fifo_files_pattern($1,noxattrfs,noxattrfs)
-	allow $1 noxattrfs:blk_file { getattr relabelfrom };
+	relabelfrom_sock_files_pattern($1,noxattrfs,noxattrfs)
-	allow $1 noxattrfs:chr_file { getattr relabelfrom };
+	relabelfrom_blk_files_pattern($1,noxattrfs,noxattrfs)
 	relabelfrom_chr_files_pattern($1,noxattrfs,noxattrfs)
 ')
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@ -27,12 +27,7 @@ interface(`kernel_domtrans_to',`
 		type kernel_t;
 	')
-	domain_auto_trans(kernel_t, $2, $1)
+	domtrans_pattern(kernel_t, $2, $1)
 	allow kernel_t $1:fd use;
 	allow $1 kernel_t:fd use;
 	allow $1 kernel_t:fifo_file rw_file_perms;
 	allow $1 kernel_t:process sigchld;
 ')
 ########################################
@ -534,7 +529,7 @@ interface(`kernel_search_debugfs',`
 		type debugfs_t;
 	')
-	allow $1 debugfs_t:dir search;
+	search_dirs_pattern($1,debugfs_t,debugfs_t)
 ')
 ########################################
@ -552,9 +547,9 @@ interface(`kernel_read_debugfs',`
 		type debugfs_t;
 	')
-	allow $1 debugfs_t:dir r_dir_perms;
+	read_files_pattern($1,debugfs_t,debugfs_t)
-	allow $1 debugfs_t:file r_file_perms;
+	read_lnk_files_pattern($1,debugfs_t,debugfs_t)
-	allow $1 debugfs_t:lnk_file { getattr read };
+	list_dirs_pattern($1,debugfs_t,debugfs_t)
 ')
 ########################################
@ -608,7 +603,7 @@ interface(`kernel_search_proc',`
 		type proc_t;
 	')
-	allow $1 proc_t:dir search;
+	search_dirs_pattern($1,proc_t,proc_t)
 ')
 ########################################
@ -626,7 +621,7 @@ interface(`kernel_list_proc',`
 		type proc_t;
 	')
-	allow $1 proc_t:dir r_dir_perms;
+	list_dirs_pattern($1,proc_t,proc_t)
 ')
 ########################################
@ -663,8 +658,7 @@ interface(`kernel_getattr_proc_files',`
 		type proc_t;
 	')
-	allow $1 proc_t:dir search;
+	getattr_files_pattern($1,proc_t,proc_t)
 	allow $1 proc_t:file getattr;
 ')
 ########################################
@ -682,8 +676,7 @@ interface(`kernel_read_proc_symlinks',`
 		type proc_t;
 	')
-	allow $1 proc_t:dir search;
+	read_lnk_files_pattern($1,proc_t,proc_t)
 	allow $1 proc_t:lnk_file { getattr read };
 ')
 ########################################
@ -702,9 +695,10 @@ interface(`kernel_read_system_state',`
 		type proc_t;
 	')
-	allow $1 proc_t:dir r_dir_perms;
+	read_files_pattern($1,proc_t,proc_t)
-	allow $1 proc_t:lnk_file { getattr read };
+	read_lnk_files_pattern($1,proc_t,proc_t)
-	allow $1 proc_t:file r_file_perms;
+
 	list_dirs_pattern($1,proc_t,proc_t)
 ')
 ########################################
@ -727,8 +721,7 @@ interface(`kernel_write_proc_files',`
 		type proc_t;
 	')
-	allow $1 proc_t:dir search;
+	write_files_pattern($1,proc_t,proc_t)
 	allow $1 proc_t:file { append write };
 ')
 ########################################
@ -785,8 +778,9 @@ interface(`kernel_read_software_raid_state',`
 		type proc_t, proc_mdstat_t;
 	')
-	allow $1 proc_t:dir r_dir_perms;
+	read_files_pattern($1,proc_t,proc_mdstat_t)
-	allow $1 proc_mdstat_t:file r_file_perms;
+
 	list_dirs_pattern($1,proc_t,proc_t)
 ')
 #######################################
@ -804,8 +798,9 @@ interface(`kernel_rw_software_raid_state',`
 		type proc_t, proc_mdstat_t;
 	')
-	allow $1 proc_t:dir r_dir_perms;
+	rw_files_pattern($1,proc_t,proc_mdstat_t)
-	allow $1 proc_mdstat_t:file rw_file_perms;
+
 	list_dirs_pattern($1,proc_t,proc_t)
 ')
 ########################################
@ -823,8 +818,9 @@ interface(`kernel_getattr_core_if',`
 		type proc_t, proc_kcore_t;
 	')
-	allow $1 proc_t:dir r_dir_perms;
+	getattr_files_pattern($1,proc_t,proc_kcore_t)
-	allow $1 proc_kcore_t:file getattr;
+
 	list_dirs_pattern($1,proc_t,proc_t)
 ')
 ########################################
@ -863,8 +859,8 @@ interface(`kernel_read_messages',`
 		type proc_kmsg_t, proc_t;
 	')
-	allow $1 proc_t:dir search;
+	read_files_pattern($1,proc_t,proc_kmsg_t)
-	allow $1 proc_kmsg_t:file r_file_perms;
+
 	typeattribute $1 can_receive_kernel_messages;
 ')
@ -884,8 +880,7 @@ interface(`kernel_getattr_message_if',`
 		type proc_kmsg_t, proc_t;
 	')
-	allow $1 proc_t:dir search;
+	getattr_files_pattern($1,proc_t,proc_kmsg_t)
 	allow $1 proc_kmsg_t:file getattr;
 ')
 ########################################
@ -943,7 +938,7 @@ interface(`kernel_search_network_state',`
 		type proc_net_t;
 	')
-	allow $1 proc_net_t:dir search;
+	search_dirs_pattern($1,proc_t,proc_net_t)
 ')
 ########################################
@ -962,10 +957,10 @@ interface(`kernel_read_network_state',`
 		type proc_t, proc_net_t;
 	')
-	allow $1 proc_t:dir search;
+	read_files_pattern($1,{ proc_t proc_net_t },proc_net_t)
-	allow $1 proc_net_t:dir r_dir_perms;
+	read_lnk_files_pattern($1,{ proc_t proc_net_t },proc_net_t)
-	allow $1 proc_net_t:file r_file_perms;
+
-	allow $1 proc_net_t:lnk_file { getattr read };
+	list_dirs_pattern($1,proc_t,proc_net_t)
 ')
 ########################################
@ -983,9 +978,9 @@ interface(`kernel_read_network_state_symlinks',`
 		type proc_t, proc_net_t;
 	')
-	allow $1 proc_t:dir search;
+	read_lnk_files_pattern($1,{ proc_t proc_net_t },proc_net_t)
-	allow $1 proc_net_t:dir r_dir_perms;
+
-	allow $1 proc_net_t:lnk_file r_file_perms;
+	list_dirs_pattern($1,proc_t,proc_net_t)
 ')
 ########################################
@ -1004,8 +999,7 @@ interface(`kernel_search_xen_state',`
 		type proc_t, proc_xen_t;
 	')
-	allow $1 proc_t:dir search_dir_perms;
+	search_dirs_pattern($1,proc_t,proc_xen_t)
 	allow $1 proc_xen_t:dir search_dir_perms;
 ')
 ########################################
@ -1044,10 +1038,10 @@ interface(`kernel_read_xen_state',`
 		type proc_t, proc_xen_t;
 	')
-	allow $1 proc_t:dir search_dir_perms;
+	read_files_pattern($1,{ proc_t proc_xen_t },proc_xen_t)
-	allow $1 proc_xen_t:dir r_dir_perms;
+	read_lnk_files_pattern($1,{ proc_t proc_xen_t },proc_xen_t)
-	allow $1 proc_xen_t:file r_file_perms;
+
-	allow $1 proc_xen_t:lnk_file { getattr read };
+	list_dirs_pattern($1,proc_t,proc_xen_t)
 ')
 ########################################
@ -1066,9 +1060,9 @@ interface(`kernel_read_xen_state_symlinks',`
 		type proc_t, proc_xen_t;
 	')
-	allow $1 proc_t:dir search;
+	read_lnk_files_pattern($1,{ proc_t proc_xen_t },proc_xen_t)
-	allow $1 proc_xen_t:dir r_dir_perms;
+
-	allow $1 proc_xen_t:lnk_file r_file_perms;
+	list_dirs_pattern($1,proc_t,proc_xen_t)
 ')
 ########################################
@ -1087,9 +1081,7 @@ interface(`kernel_write_xen_state',`
 		type proc_t, proc_xen_t;
 	')
-	allow $1 proc_t:dir search;
+	write_files_pattern($1,{ proc_t proc_xen_t },proc_xen_t)
 	allow $1 proc_xen_t:dir r_dir_perms;
 	allow $1 proc_xen_t:file write;
 ')
 ########################################
@ -1146,7 +1138,7 @@ interface(`kernel_read_sysctl',`
 		type sysctl_t;
 	')
-	allow $1 sysctl_t:dir r_dir_perms;
+	list_dirs_pattern($1,proc_t,sysctl_t)
 ')
 ########################################
@ -1165,10 +1157,9 @@ interface(`kernel_read_device_sysctls',`
 		type proc_t, sysctl_t, sysctl_dev_t;
 	')
-	allow $1 proc_t:dir search;
+	read_files_pattern($1,{ proc_t sysctl_t sysctl_dev_t },sysctl_dev_t)
-	allow $1 sysctl_t:dir r_dir_perms;
+
-	allow $1 sysctl_dev_t:dir r_dir_perms;
+	list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_dev_t)
 	allow $1 sysctl_dev_t:file r_file_perms;
 ')
 ########################################
@ -1187,9 +1178,9 @@ interface(`kernel_rw_device_sysctls',`
 		type proc_t, sysctl_t, sysctl_dev_t;
 	')
-	allow $1 proc_t:dir search;
+	rw_files_pattern($1,{ proc_t sysctl_t sysctl_dev_t },sysctl_dev_t)
-	allow $1 sysctl_t:dir r_dir_perms;
+
-	allow $1 sysctl_dev_t:file rw_file_perms;
+	list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_dev_t)
 ')
 ########################################
@ -1207,7 +1198,7 @@ interface(`kernel_search_vm_sysctl',`
 		type proc_t, sysctl_t, sysctl_vm_t;
 	')
-	allow $1 { proc_t sysctl_t sysctl_vm_t }:dir search_dir_perms;
+	search_dirs_pattern($1,{ proc_t sysctl_t },sysctl_vm_t)
 ')
 ########################################
@ -1226,9 +1217,9 @@ interface(`kernel_read_vm_sysctls',`
 		type proc_t, sysctl_t, sysctl_vm_t;
 	')
-	allow $1 proc_t:dir search;
+	read_files_pattern($1,{ proc_t sysctl_t sysctl_vm_t },sysctl_vm_t)
-	allow $1 sysctl_t:dir r_dir_perms;
+
-	allow $1 sysctl_vm_t:file r_file_perms;
+	list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_vm_t)
 ')
 ########################################
@ -1247,10 +1238,8 @@ interface(`kernel_rw_vm_sysctls',`
 		type proc_t, sysctl_t, sysctl_vm_t;
 	')
-	allow $1 proc_t:dir search;
+	rw_files_pattern($1,{ proc_t sysctl_t sysctl_vm_t },sysctl_vm_t)
-	allow $1 sysctl_t:dir r_dir_perms;
+	list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_vm_t)
 	allow $1 sysctl_vm_t:dir list_dir_perms;
 	allow $1 sysctl_vm_t:file rw_file_perms;
 	# hal needs this
 	allow $1 sysctl_vm_t:dir write;
@ -1271,7 +1260,7 @@ interface(`kernel_search_network_sysctl',`
 		type proc_t, sysctl_t, sysctl_net_t;
 	')
-	allow $1 { proc_t sysctl_t sysctl_net_t }:dir search;
+	search_dirs_pattern($1,{ proc_t sysctl_t },sysctl_net_t)
 ')
 ########################################
@ -1308,10 +1297,9 @@ interface(`kernel_read_net_sysctls',`
 		type proc_t, sysctl_t, sysctl_net_t;
 	')
-	allow $1 proc_t:dir search;
+	read_files_pattern($1,{ proc_t sysctl_t sysctl_net_t },sysctl_net_t)
-	allow $1 sysctl_t:dir r_dir_perms;
+
-	allow $1 sysctl_net_t:dir r_dir_perms;
+	list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_net_t)
 	allow $1 sysctl_net_t:file r_file_perms;
 ')
 ########################################
@ -1330,10 +1318,9 @@ interface(`kernel_rw_net_sysctls',`
 		type proc_t, sysctl_t, sysctl_net_t;
 	')
-	allow $1 proc_t:dir search;
+	rw_files_pattern($1,{ proc_t sysctl_t sysctl_net_t },sysctl_net_t)
-	allow $1 sysctl_t:dir r_dir_perms;
+
-	allow $1 sysctl_net_t:dir r_dir_perms;
+	list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_net_t)
 	allow $1 sysctl_net_t:file rw_file_perms;
 ')
 ########################################
@ -1353,10 +1340,9 @@ interface(`kernel_read_unix_sysctls',`
 		type proc_t, sysctl_t, sysctl_net_t, sysctl_net_unix_t;
 	')
-	allow $1 proc_t:dir search;
+	read_files_pattern($1,{ proc_t sysctl_t sysctl_net_t },sysctl_net_unix_t)
-	allow $1 sysctl_t:dir r_dir_perms;
+
-	allow $1 sysctl_net_t:dir r_dir_perms;
+	list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_net_t)
 	allow $1 sysctl_net_unix_t:file r_file_perms;
 ')
 ########################################
@ -1376,10 +1362,9 @@ interface(`kernel_rw_unix_sysctls',`
 		type proc_t, sysctl_t, sysctl_net_t, sysctl_net_unix_t;
 	')
-	allow $1 proc_t:dir search;
+	rw_files_pattern($1,{ proc_t sysctl_t sysctl_net_t },sysctl_net_unix_t)
-	allow $1 sysctl_t:dir r_dir_perms;
+
-	allow $1 sysctl_net_t:dir r_dir_perms;
+	list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_net_t)
 	allow $1 sysctl_net_unix_t:file rw_file_perms;
 ')
 ########################################
@ -1398,10 +1383,9 @@ interface(`kernel_read_hotplug_sysctls',`
 		type proc_t, sysctl_t, sysctl_kernel_t, sysctl_hotplug_t;
 	')
-	allow $1 proc_t:dir search;
+	read_files_pattern($1,{ proc_t sysctl_t sysctl_kernel_t },sysctl_hotplug_t)
-	allow $1 sysctl_t:dir r_dir_perms;
+
-	allow $1 sysctl_kernel_t:dir r_dir_perms;
+	list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_kernel_t)
 	allow $1 sysctl_hotplug_t:file r_file_perms;
 ')
 ########################################
@ -1420,10 +1404,9 @@ interface(`kernel_rw_hotplug_sysctls',`
 		type proc_t, sysctl_t, sysctl_kernel_t, sysctl_hotplug_t;
 	')
-	allow $1 proc_t:dir search;
+	rw_files_pattern($1,{ proc_t sysctl_t sysctl_kernel_t },sysctl_hotplug_t)
-	allow $1 sysctl_t:dir r_dir_perms;
+
-	allow $1 sysctl_kernel_t:dir r_dir_perms;
+	list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_kernel_t)
 	allow $1 sysctl_hotplug_t:file rw_file_perms;
 ')
 ########################################
@ -1442,10 +1425,9 @@ interface(`kernel_read_modprobe_sysctls',`
 		type proc_t, sysctl_t, sysctl_kernel_t, sysctl_modprobe_t;
 	')
-	allow $1 proc_t:dir search;
+	read_files_pattern($1,{ proc_t sysctl_t sysctl_kernel_t },sysctl_modprobe_t)
-	allow $1 sysctl_t:dir r_dir_perms;
+
-	allow $1 sysctl_kernel_t:dir r_dir_perms;
+	list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_kernel_t)
 	allow $1 sysctl_modprobe_t:file r_file_perms;
 ')
 ########################################
@ -1464,10 +1446,9 @@ interface(`kernel_rw_modprobe_sysctls',`
 		type proc_t, sysctl_t, sysctl_kernel_t, sysctl_modprobe_t;
 	')
-	allow $1 proc_t:dir search;
+	rw_files_pattern($1,{ proc_t sysctl_t sysctl_kernel_t },sysctl_modprobe_t)
-	allow $1 sysctl_t:dir r_dir_perms;
+
-	allow $1 sysctl_kernel_t:dir r_dir_perms;
+	list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_kernel_t)
 	allow $1 sysctl_modprobe_t:file rw_file_perms;
 ')
 ########################################
@ -1503,10 +1484,9 @@ interface(`kernel_read_kernel_sysctls',`
 		type proc_t, sysctl_t, sysctl_kernel_t;
 	')
-	allow $1 proc_t:dir search_dir_perms;
+	read_files_pattern($1,{ proc_t sysctl_t sysctl_kernel_t },sysctl_kernel_t)
-	allow $1 sysctl_t:dir r_dir_perms;
+
-	allow $1 sysctl_kernel_t:dir r_dir_perms;
+	list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_kernel_t)
 	allow $1 sysctl_kernel_t:file r_file_perms;
 ')
 ########################################
@ -1543,10 +1523,9 @@ interface(`kernel_rw_kernel_sysctl',`
 		type proc_t, sysctl_t, sysctl_kernel_t;
 	')
-	allow $1 proc_t:dir search;
+	rw_files_pattern($1,{ proc_t sysctl_t sysctl_kernel_t },sysctl_kernel_t)
-	allow $1 sysctl_t:dir r_dir_perms;
+
-	allow $1 sysctl_kernel_t:dir r_dir_perms;
+	list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_kernel_t)
 	allow $1 sysctl_kernel_t:file rw_file_perms;
 ')
 ########################################
@ -1565,10 +1544,9 @@ interface(`kernel_read_fs_sysctls',`
 		type proc_t, sysctl_t, sysctl_fs_t;
 	')
-	allow $1 proc_t:dir search;
+	read_files_pattern($1,{ proc_t sysctl_t sysctl_fs_t },sysctl_fs_t)
-	allow $1 sysctl_t:dir r_dir_perms;
+
-	allow $1 sysctl_fs_t:dir r_dir_perms;
+	list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_fs_t)
 	allow $1 sysctl_fs_t:file r_file_perms;
 ')
 ########################################
@ -1587,10 +1565,9 @@ interface(`kernel_rw_fs_sysctls',`
 		type proc_t, sysctl_t, sysctl_fs_t;
 	')
-	allow $1 proc_t:dir search;
+	rw_files_pattern($1,{ proc_t sysctl_t sysctl_fs_t },sysctl_fs_t)
-	allow $1 sysctl_t:dir r_dir_perms;
+
-	allow $1 sysctl_fs_t:dir r_dir_perms;
+	list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_fs_t)
 	allow $1 sysctl_fs_t:file rw_file_perms;
 ')
 ########################################
@ -1609,9 +1586,9 @@ interface(`kernel_read_irq_sysctls',`
 		type proc_t, sysctl_irq_t;
 	')
-	allow $1 proc_t:dir search;
+	read_files_pattern($1,{ proc_t sysctl_irq_t },sysctl_irq_t)
-	allow $1 sysctl_irq_t:dir r_dir_perms;
+
-	allow $1 sysctl_irq_t:file r_file_perms;
+	list_dirs_pattern($1,proc_t,sysctl_irq_t)
 ')
 ########################################
@ -1630,9 +1607,9 @@ interface(`kernel_rw_irq_sysctls',`
 		type proc_t, sysctl_irq_t;
 	')
-	allow $1 proc_t:dir search;
+	rw_files_pattern($1,{ proc_t sysctl_irq_t },sysctl_irq_t)
-	allow $1 sysctl_irq_t:dir r_dir_perms;
+
-	allow $1 sysctl_irq_t:file rw_file_perms;
+	list_dirs_pattern($1,proc_t,sysctl_irq_t)
 ')
 ########################################
@ -1651,10 +1628,9 @@ interface(`kernel_read_rpc_sysctls',`
 		type proc_t, proc_net_t, sysctl_rpc_t;
 	')
-	allow $1 proc_t:dir search;
+	read_files_pattern($1,{ proc_t proc_net_t sysctl_rpc_t },sysctl_rpc_t)
-	allow $1 proc_net_t:dir search;
+
-	allow $1 sysctl_rpc_t:dir r_dir_perms;
+	list_dirs_pattern($1,{ proc_t proc_net_t },sysctl_rpc_t)
 	allow $1 sysctl_rpc_t:file r_file_perms;
 ')
 ########################################
@ -1673,10 +1649,9 @@ interface(`kernel_rw_rpc_sysctls',`
 		type proc_t, proc_net_t, sysctl_rpc_t;
 	')
-	allow $1 proc_t:dir search;
+	rw_files_pattern($1,{ proc_t proc_net_t sysctl_rpc_t },sysctl_rpc_t)
-	allow $1 proc_net_t:dir search;
+
-	allow $1 sysctl_rpc_t:dir r_dir_perms;
+	list_dirs_pattern($1,{ proc_t proc_net_t },sysctl_rpc_t)
 	allow $1 sysctl_rpc_t:file rw_file_perms;
 ')
 ########################################
@ -1715,10 +1690,9 @@ interface(`kernel_read_all_sysctls',`
 	')
 	# proc_net_t for /proc/net/rpc sysctls
-	allow $1 { proc_t proc_net_t }:dir search;
+	read_files_pattern($1,{ proc_t proc_net_t sysctl_type },sysctl_type)
-	allow $1 sysctl_type:dir r_dir_perms;
+	list_dirs_pattern($1,{ proc_t proc_net_t },sysctl_type)
 	allow $1 sysctl_type:file r_file_perms;
 ')
 ########################################
@ -1739,10 +1713,11 @@ interface(`kernel_rw_all_sysctls',`
 	')
 	# proc_net_t for /proc/net/rpc sysctls
-	allow $1 { proc_t proc_net_t }:dir search;
+	rw_files_pattern($1,{ proc_t proc_net_t sysctl_type },sysctl_type)
-	allow $1 sysctl_type:dir r_dir_perms;
+	allow $1 sysctl_type:dir list_dir_perms;
-	allow $1 sysctl_type:file { rw_file_perms setattr };
+	# why is setattr needed?
 	allow $1 sysctl_type:file setattr;
 ')
 ########################################
@ -1850,7 +1825,7 @@ interface(`kernel_list_unlabeled',`
 		type unlabeled_t;
 	')
-	allow $1 unlabeled_t:dir r_dir_perms;
+	allow $1 unlabeled_t:dir list_dir_perms;
 ')
 ########################################
--- a/policy/modules/kernel/storage.if
+++ b/policy/modules/kernel/storage.if
@ -99,7 +99,7 @@ interface(`storage_raw_read_fixed_disk',`
 	')
 	dev_list_all_dev_nodes($1)
-	allow $1 fixed_disk_device_t:blk_file r_file_perms;
+	allow $1 fixed_disk_device_t:blk_file read_blk_file_perms;
 	typeattribute $1 fixed_disk_raw_read;
 ')
@ -143,7 +143,7 @@ interface(`storage_raw_write_fixed_disk',`
 	')
 	dev_list_all_dev_nodes($1)
-	allow $1 fixed_disk_device_t:blk_file { getattr write append ioctl };
+	allow $1 fixed_disk_device_t:blk_file write_blk_file_perms;
 	typeattribute $1 fixed_disk_raw_write;
 ')
@ -164,7 +164,7 @@ interface(`storage_dontaudit_write_fixed_disk',`
 	')
-	dontaudit $1 fixed_disk_device_t:blk_file { write append ioctl };
+	dontaudit $1 fixed_disk_device_t:blk_file write_blk_file_perms;
 ')
 ########################################
@ -184,7 +184,7 @@ interface(`storage_manage_fixed_disk',`
 	')
 	dev_list_all_dev_nodes($1)
-	allow $1 fixed_disk_device_t:blk_file create_file_perms;
+	allow $1 fixed_disk_device_t:blk_file manage_blk_file_perms;
 	typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
 ')
@ -242,7 +242,7 @@ interface(`storage_relabel_fixed_disk',`
 	')
 	dev_list_all_dev_nodes($1)
-	allow $1 fixed_disk_device_t:blk_file { relabelfrom relabelto };
+	allow $1 fixed_disk_device_t:blk_file relabel_blk_file_perms;
 ')
 ########################################
@ -325,7 +325,7 @@ interface(`storage_read_scsi_generic',`
 	')
 	dev_list_all_dev_nodes($1)
-	allow $1 scsi_generic_device_t:chr_file r_file_perms;
+	allow $1 scsi_generic_device_t:chr_file read_chr_file_perms;
 	typeattribute $1 scsi_generic_read;
 ')
@ -350,7 +350,7 @@ interface(`storage_write_scsi_generic',`
 	')
 	dev_list_all_dev_nodes($1)
-	allow $1 scsi_generic_device_t:chr_file { getattr write ioctl };
+	allow $1 scsi_generic_device_t:chr_file write_chr_file_perms;
 	typeattribute $1 scsi_generic_write;
 ')
@ -511,7 +511,7 @@ interface(`storage_raw_read_removable_device',`
 	')
 	dev_list_all_dev_nodes($1)
-	allow $1 removable_device_t:blk_file r_file_perms;
+	allow $1 removable_device_t:blk_file read_blk_file_perms;
 ')
 ########################################
@ -529,7 +529,7 @@ interface(`storage_dontaudit_raw_read_removable_device',`
 		type removable_device_t;
 	')
-	dontaudit $1 removable_device_t:blk_file r_file_perms;
+	dontaudit $1 removable_device_t:blk_file read_blk_file_perms;
 ')
 ########################################
@ -552,7 +552,7 @@ interface(`storage_raw_write_removable_device',`
 	')
 	dev_list_all_dev_nodes($1)
-	allow $1 removable_device_t:blk_file { getattr write ioctl };
+	allow $1 removable_device_t:blk_file write_blk_file_perms;
 ')
 ########################################
@ -570,7 +570,7 @@ interface(`storage_dontaudit_raw_write_removable_device',`
 		type removable_device_t;
 	')
-	dontaudit $1 removable_device_t:blk_file { write append ioctl };
+	dontaudit $1 removable_device_t:blk_file write_blk_file_perms;
 ')
 ########################################
@ -590,7 +590,7 @@ interface(`storage_read_tape',`
 	')
 	dev_list_all_dev_nodes($1)
-	allow $1 tape_device_t:chr_file r_file_perms;
+	allow $1 tape_device_t:chr_file read_chr_file_perms;
 ')
 ########################################
@ -610,7 +610,7 @@ interface(`storage_write_tape',`
 	')
 	dev_list_all_dev_nodes($1)
-	allow $1 tape_device_t:chr_file { getattr write ioctl };
+	allow $1 tape_device_t:chr_file write_chr_file_perms;
 ')
 ########################################
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@ -153,7 +153,7 @@ interface(`term_create_pty',`
 	dev_list_all_dev_nodes($1)
 	allow $1 ptmx_t:chr_file rw_file_perms;
-	allow $1 devpts_t:dir r_dir_perms;
+	allow $1 devpts_t:dir list_dir_perms;
 	allow $1 devpts_t:filesystem getattr;
 	dontaudit $1 bsdpty_device_t:chr_file { getattr read write };
 	type_transition $1 devpts_t:chr_file $2;
@ -178,7 +178,7 @@ interface(`term_use_all_terms',`
 	')
 	dev_list_all_dev_nodes($1)
-	allow $1 devpts_t:dir r_dir_perms;
+	allow $1 devpts_t:dir list_dir_perms;
 	allow $1 { console_device_t tty_device_t ttynode ptynode }:chr_file rw_file_perms;
 ')
@ -199,7 +199,7 @@ interface(`term_write_console',`
 	')
 	dev_list_all_dev_nodes($1)
-	allow $1 console_device_t:chr_file { getattr write append };
+	allow $1 console_device_t:chr_file write_chr_file_perms;
 ')
 ########################################
@ -219,7 +219,7 @@ interface(`term_read_console',`
 	')
 	dev_list_all_dev_nodes($1)
-	allow $1 console_device_t:chr_file read;
+	allow $1 console_device_t:chr_file read_chr_file_perms;
 ')
 ########################################
@ -239,7 +239,7 @@ interface(`term_use_console',`
 	')
 	dev_list_all_dev_nodes($1)
-	allow $1 console_device_t:chr_file rw_file_perms;
+	allow $1 console_device_t:chr_file rw_chr_file_perms;
 ')
 ########################################
@ -258,7 +258,7 @@ interface(`term_dontaudit_use_console',`
 		type console_device_t;
 	')
-	dontaudit $1 console_device_t:chr_file rw_file_perms;
+	dontaudit $1 console_device_t:chr_file rw_chr_file_perms;
 ')
 ########################################
@ -294,12 +294,11 @@ interface(`term_setattr_console',`
 #
 interface(`term_create_console_dev',`
 	gen_require(`
-		type device_t, console_device_t;
+		type console_device_t;
 	')
-	allow $1 device_t:dir add_entry_dir_perms;
+	dev_add_entry_generic_dirs($1)
 	allow $1 console_device_t:chr_file create;
 	allow $1 self:capability mknod;
 ')
@ -356,7 +355,7 @@ interface(`term_search_ptys',`
 	')
 	dev_list_all_dev_nodes($1)
-	allow $1 devpts_t:dir search;
+	allow $1 devpts_t:dir search_dir_perms;
 ')
 ########################################
@ -376,7 +375,7 @@ interface(`term_dontaudit_search_ptys',`
 	')
 	dev_dontaudit_list_all_dev_nodes($1)
-	dontaudit $1 devpts_t:dir search;
+	dontaudit $1 devpts_t:dir search_dir_perms;
 ')
 ########################################
@ -396,7 +395,7 @@ interface(`term_list_ptys',`
 	')
 	dev_list_all_dev_nodes($1)
-	allow $1 devpts_t:dir r_dir_perms;
+	allow $1 devpts_t:dir list_dir_perms;
 ')
 ########################################
@ -434,7 +433,7 @@ interface(`term_dontaudit_manage_pty_dirs',`
 		type devpts_t;
 	')
-	dontaudit $1 devpts_t:dir create_dir_perms;
+	dontaudit $1 devpts_t:dir manage_dir_perms;
 ')
 ########################################
@ -575,6 +574,7 @@ interface(`term_use_ptmx',`
 		type ptmx_t;
 	')
 	dev_list_all_dev_nodes($1)
 	allow $1 ptmx_t:chr_file rw_file_perms;
 ')
@ -615,7 +615,7 @@ interface(`term_getattr_all_user_ptys',`
 	')
 	dev_list_all_dev_nodes($1)
-	allow $1 devpts_t:dir r_dir_perms;
+	allow $1 devpts_t:dir list_dir_perms;
 	allow $1 ptynode:chr_file getattr;
 ')
@ -657,7 +657,7 @@ interface(`term_setattr_all_user_ptys',`
 	')
 	dev_list_all_dev_nodes($1)
-	allow $1 devpts_t:dir r_dir_perms;
+	allow $1 devpts_t:dir list_dir_perms;
 	allow $1 ptynode:chr_file setattr;
 ')
@ -697,7 +697,7 @@ interface(`term_use_all_user_ptys',`
 	')
 	dev_list_all_dev_nodes($1)
-	allow $1 devpts_t:dir r_dir_perms;
+	allow $1 devpts_t:dir list_dir_perms;
 	allow $1 ptynode:chr_file { rw_term_perms lock append };
 ')
@ -738,8 +738,7 @@ interface(`term_relabel_all_user_ptys',`
 	')
 	dev_list_all_dev_nodes($1)
-	allow $1 devpts_t:dir search;
+	relabel_chr_files_pattern($1,devpts_t,ptynode)
 	allow $1 ptynode:chr_file { relabelfrom relabelto };
 ')
 ########################################
--- a/Show More
+++ b/Show More