diff --git a/refpolicy/policy/modules/kernel/bootloader.if b/refpolicy/policy/modules/kernel/bootloader.if
index f18a9d7b..7ac48c17 100644
--- a/refpolicy/policy/modules/kernel/bootloader.if
+++ b/refpolicy/policy/modules/kernel/bootloader.if
@@ -15,10 +15,7 @@
define(`bootloader_domtrans',`
requires_block_template(`$0'_depend)
- allow $1 bootloader_exec_t:file { getattr read execute };
- allow $1 bootloader_t:process transition;
- type_transition $1 bootloader_exec_t:process bootloader_t;
- dontaudit $1 bootloader_t:process { noatsecure siginh rlimitinh };
+ domain_auto_trans($1, bootloader_exec_t, bootloader_t)
allow $1 bootloader_t:fd use;
allow bootloader_t $1:fd use;
@@ -60,12 +57,12 @@ define(`bootloader_run',`
bootloader_transition($1)
role $2 types bootloader_t;
- allow bootloader_t $3:chr_file { getattr read write ioctl };
+ allow bootloader_t $3:chr_file rw_file_perms;
')
define(`bootloader_run_depend',`
type bootloader_t;
- class chr_file { getattr read write ioctl };
+ class chr_file rw_file_perms;
')
########################################
@@ -107,14 +104,15 @@ define(`bootloader_ignore_search_bootloader_data_directory_depend',`
define(`bootloader_modify_bootloader_data_directory_symbolic_links',`
requires_block_template(`$0'_depend)
- allow $1 boot_t:dir { getattr search read };
- allow $1 boot_t:lnk_file { getattr read write };
+ allow $1 boot_t:dir r_dir_perms;
+ allow $1 boot_t:lnk_file rw_file_perms;
')
define(`bootloader_modify_bootloader_data_directory_symbolic_links_depend',`
type boot_t;
- class dir { getattr search read };
+ class dir r_dir_perms;
+ class lnk_file rw_file_perms;
')
########################################
@@ -124,7 +122,7 @@ define(`bootloader_modify_bootloader_data_directory_symbolic_links_depend',`
define(`bootloader_install_kernel',`
requires_block_template(`$0'_depend)
- allow $1 boot_t:dir { getattr search read write add_name };
+ allow $1 boot_t:dir ra_dir_perms;
allow $1 boot_t:file { getattr read write create };
allow $1 boot_t:lnk_file { getattr read create unlink };
')
@@ -132,7 +130,7 @@ define(`bootloader_install_kernel',`
define(`bootloader_install_kernel_depend',`
type boot_t;
- class dir { getattr search read write add_name };
+ class dir ra_dir_perms;
class file { getattr read write create };
class lnk_file { getattr read create unlink };
')
@@ -144,7 +142,7 @@ define(`bootloader_install_kernel_depend',`
define(`bootloader_install_initrd',`
requires_block_template(`$0'_depend)
- allow $1 boot_t:dir { getattr search read write add_name };
+ allow $1 boot_t:dir ra_dir_perms;
allow $1 boot_t:file { getattr read write create };
allow $1 boot_t:lnk_file { getattr read create unlink };
')
@@ -152,7 +150,7 @@ define(`bootloader_install_initrd',`
define(`bootloader_install_initrd_depend',`
type boot_t;
- class dir { getattr search read write add_name };
+ class dir ra_dir_perms;
class file { getattr read write create };
class lnk_file { getattr read create unlink };
')
@@ -164,15 +162,15 @@ define(`bootloader_install_initrd_depend',`
define(`bootloader_install_kernel_symbol_table',`
requires_block_template(`$0'_depend)
- allow $1 boot_t:dir { getattr search read write add_name };
- allow $1 system_map_t:file { getattr read write create };
+ allow $1 boot_t:dir ra_dir_perms;
+ allow $1 system_map_t:file { rw_file_perms create };
')
define(`bootloader_install_kernel_symbol_table_depend',`
type boot_t, system_map_t;
- class dir { getattr search read write add_name };
- class file { getattr read write create };
+ class dir ra_dir_perms;
+ class file { rw_file_perms create };
')
########################################
@@ -182,15 +180,15 @@ define(`bootloader_install_kernel_symbol_table_depend',`
define(`bootloader_read_kernel_symbol_table',`
requires_block_template(`$0'_depend)
- allow $1 boot_t:dir { getattr search read };
- allow $1 system_map_t:file { getattr read };
+ allow $1 boot_t:dir r_dir_perms;
+ allow $1 system_map_t:file f_file_perms;
')
define(`bootloader_read_kernel_symbol_table_depend',`
type boot_t, system_map_t;
- class dir { getattr search read };
- class file { getattr read };
+ class dir r_dir_perms;
+ class file r_file_perms;
')
########################################
@@ -200,14 +198,14 @@ define(`bootloader_read_kernel_symbol_table_depend',`
define(`bootloader_remove_kernel',`
requires_block_template(`$0'_depend)
- allow $1 boot_t:dir { getattr search read write remove_name };
+ allow $1 boot_t:dir { r_dir_perms write remove_name };
allow $1 boot_t:file { getattr unlink };
')
define(`bootloader_remove_kernel_depend',`
type boot_t;
- class dir { getattr search read write remove_name };
+ class dir { r_dir_perms write remove_name };
class file { getattr unlink };
')
@@ -218,14 +216,14 @@ define(`bootloader_remove_kernel_depend',`
define(`bootloader_remove_kernel_symbol_table',`
requires_block_template(`$0'_depend)
- allow $1 boot_t:dir { getattr search read write remove_name };
+ allow $1 boot_t:dir { r_dir_perms write remove_name };
allow $1 system_map_t:file { getattr unlink };
')
define(`bootloader_remove_kernel_symbol_table_depend',`
type boot_t, system_map_t;
- class dir { getattr search read write remove_name };
+ class dir { r_dir_perms write remove_name };
class file { getattr unlink };
')
@@ -236,13 +234,13 @@ define(`bootloader_remove_kernel_symbol_table_depend',`
define(`bootloader_read_config',`
requires_block_template(`$0'_depend)
- allow $1 bootloader_etc_t:file { getattr read };
+ allow $1 bootloader_etc_t:file r_file_perms;
')
define(`bootloader_read_config_depend',`
type bootloader_etc_t;
- class file { getattr read };
+ class file r_file_perms;
')
########################################
@@ -252,13 +250,13 @@ define(`bootloader_read_config_depend',`
define(`bootloader_rw_bootloader_config',`
requires_block_template(`$0'_depend)
- allow $1 bootloader_etc_t:file { getattr read write append };
+ allow $1 bootloader_etc_t:file rw_file_perms;
')
define(`bootloader_rw_bootloader_config_depend',`
type bootloader_etc_t;
- class file { getattr read write append };
+ class file rw_file_perms;
')
########################################
@@ -269,13 +267,13 @@ define(`bootloader_rw_temp_data',`
requires_block_template(`$0'_depend)
# FIXME: read tmp_t
- allow $1 bootloader_tmp_t:file { getattr read write };
+ allow $1 bootloader_tmp_t:file rw_file_perms;
')
define(`bootloader_rw_temp_data_depend',`
type bootloader_tmp_t;
- class file { getattr read write setattr };
+ class file rw_file_perms;
')
########################################
@@ -285,16 +283,16 @@ define(`bootloader_rw_temp_data_depend',`
define(`bootloader_create_runtime_data',`
requires_block_template(`$0'_depend)
- allow $1 boot_t:dir { getattr search read write add_name remove_name };
- allow $1 boot_runtime_t:file { getattr create read write append unlink };
+ allow $1 boot_t:dir rw_dir_perms;
+ allow $1 boot_runtime_t:file { rw_file_perms create unlink };
type_transition $1 boot_t:file boot_runtime_t;
')
define(`bootloader_create_runtime_data_depend',`
type boot_t, boot_runtime_t;
- class dir { getattr search read write add_name remove_name };
- class file { getattr create read write append unlink };
+ class dir rw_dir_perms;
+ class file { rw_file_perms create unlink };
')
########################################
@@ -304,13 +302,13 @@ define(`bootloader_create_runtime_data_depend',`
define(`bootloader_list_kernel_modules',`
requires_block_template(`$0'_depend)
- allow $1 modules_object_t:dir { getattr search read };
+ allow $1 modules_object_t:dir r_dir_perms;
')
define(`bootloader_list_kernel_modules_depend',`
type modules_object_t;
- class dir { getattr search read };
+ class dir r_dir_perms;
')
########################################
@@ -320,17 +318,17 @@ define(`bootloader_list_kernel_modules_depend',`
define(`bootloader_read_kernel_modules',`
requires_block_template(`$0'_depend)
- allow $1 modules_object_t:dir { getattr search read };
- allow $1 modules_object_t:lnk_file { getattr read };
- allow $1 modules_object_t:file { getattr read lock };
+ allow $1 modules_object_t:dir r_dir_perms;
+ allow $1 modules_object_t:lnk_file r_file_perms;
+ allow $1 modules_object_t:file r_file_perms;
')
define(`bootloader_read_kernel_modules_depend',`
type modules_object_t;
- class dir { getattr search read };
- class lnk_file { getattr read };
- class file { getattr read lock };
+ class dir r_dir_perms;
+ class lnk_file r_file_perms;
+ class file r_file_perms;
')
########################################
@@ -340,7 +338,7 @@ define(`bootloader_read_kernel_modules_depend',`
define(`bootloader_write_kernel_modules',`
requires_block_template(`$0'_depend)
- allow $1 modules_object_t:dir { getattr search read };
+ allow $1 modules_object_t:dir r_dir_perms;
allow $1 modules_object_t:file write;
typeattribute $1 can_modify_kernel_modules;
@@ -351,7 +349,7 @@ define(`bootloader_write_kernel_modules_depend',`
type modules_object_t;
- class dir { getattr search read };
+ class dir r_dir_perms;
class file write;
')
@@ -362,8 +360,8 @@ define(`bootloader_write_kernel_modules_depend',`
define(`bootloader_manage_kernel_modules',`
requires_block_template(`$0'_depend)
- allow $1 modules_object_t:file { getattr create read write setattr unlink };
- allow $1 modules_object_t:dir { getattr search read write add_name remove_name };
+ allow $1 modules_object_t:file { rw_file_perms create setattr unlink };
+ allow $1 modules_object_t:dir rw_dir_perms;
typeattribute $1 can_modify_kernel_modules;
')
@@ -374,7 +372,7 @@ define(`bootloader_manage_kernel_modules_depend',`
type modules_object_t;
class file { getattr create read write setattr unlink };
- class dir { getattr search read write add_name remove_name };
+ class dir rw_dir_perms;
')
########################################
diff --git a/refpolicy/policy/modules/kernel/bootloader.te b/refpolicy/policy/modules/kernel/bootloader.te
index 925f84c6..2d38d24f 100644
--- a/refpolicy/policy/modules/kernel/bootloader.te
+++ b/refpolicy/policy/modules/kernel/bootloader.te
@@ -66,27 +66,27 @@ allow bootloader_t self:capability { dac_read_search fsetid sys_rawio sys_admin
allow bootloader_t self:process { sigkill sigstop signull signal };
allow bootloader_t self:fifo_file { getattr read write };
-allow bootloader_t boot_t:dir { getattr search read write add_name };
-allow bootloader_t boot_t:file { getattr read write create };
-allow bootloader_t boot_t:lnk_file { getattr read create unlink };
+allow bootloader_t boot_t:dir ra_dir_perms;
+allow bootloader_t boot_t:file { rw_file_perms create };
+allow bootloader_t boot_t:lnk_file { r_file_perms create unlink };
-allow bootloader_t bootloader_etc_t:file { getattr read };
+allow bootloader_t bootloader_etc_t:file r_file_perms;
# uncomment the following lines if you use "lilo -p"
#allow bootloader_t bootloader_etc_t:file { create ioctl read getattr lock write setattr append link unlink rename };
#files_create_private_config(bootloader_t,bootloader_etc_t)
-allow bootloader_t bootloader_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
-allow bootloader_t bootloader_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };
-allow bootloader_t bootloader_tmp_t:chr_file { create ioctl read getattr lock write setattr append link unlink rename };
-allow bootloader_t bootloader_tmp_t:blk_file { create ioctl read getattr lock write setattr append link unlink rename };
-allow bootloader_t bootloader_tmp_t:lnk_file { create read getattr setattr unlink rename };
+allow bootloader_t bootloader_tmp_t:dir create_dir_perms;
+allow bootloader_t bootloader_tmp_t:file create_file_perms;
+allow bootloader_t bootloader_tmp_t:chr_file create_file_perms;
+allow bootloader_t bootloader_tmp_t:blk_file create_file_perms;
+allow bootloader_t bootloader_tmp_t:lnk_file create_lnk_perms;
files_create_private_tmp_data(bootloader_t,bootloader_tmp_t,{ dir file lnk_file chr_file blk_file })
# for tune2fs (cjp: ?)
files_create_private_root_dir_entry(bootloader_t,bootloader_tmp_t)
-allow bootloader_t modules_object_t:dir { getattr search read };
-allow bootloader_t modules_object_t:file { getattr read };
-allow bootloader_t modules_object_t:lnk_file { getattr read };
+allow bootloader_t modules_object_t:dir r_dir_perms;
+allow bootloader_t modules_object_t:file r_file_perms;
+allow bootloader_t modules_object_t:lnk_file r_file_perms;
kernel_get_core_interface_attributes(bootloader_t)
kernel_read_system_state(bootloader_t)
@@ -150,7 +150,7 @@ ifdef(`distro_redhat', `
allow bootloader_t self:capability ipc_lock;
# new file system defaults to file_t, granting file_t access is still bad.
- allow bootloader_t boot_runtime_t:file { read getattr unlink };
+ allow bootloader_t boot_runtime_t:file { r_file_perms unlink };
# mkinitrd mount initrd on bootloader temp dir
files_make_mountpoint(bootloader_tmp_t)
diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if
index 3bcb1b6b..0f4b2825 100644
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
@@ -61,14 +61,14 @@ define(`devices_list_device_nodes',`
requires_block_template(`$0'_depend)
allow $1 device_t:dir r_dir_perms;
- allow $1 device_t:lnk_file { getattr read };
+ allow $1 device_t:lnk_file r_file_perms;
')
define(`devices_list_device_nodes_depend',`
type device_t;
class dir r_dir_perms;
- class lnk_file { getattr read };
+ class lnk_file r_file_perms;
')
########################################
@@ -177,7 +177,7 @@ define(`devices_manage_generic_block_device_depend',`
define(`devices_add_generic_character_device',`
requires_block_template(`$0'_depend)
- allow $1 device_t:dir { getattr search read write add_name };
+ allow $1 device_t:dir ra_dir_perms;
allow $1 device_t:chr_file create;
allow $1 self:capability mknod;
@@ -186,7 +186,7 @@ define(`devices_add_generic_character_device',`
define(`devices_add_generic_character_device_depend',`
type device_t;
- class dir { getattr search read write add_name };
+ class dir ra_dir_perms;
class chr_file create;
class capability mknod;
')
@@ -239,7 +239,7 @@ define(`devices_ignore_get_generic_character_device_attributes_depend',`
define(`devices_remove_dev_symbolic_links',`
requires_block_template(`$0'_depend)
- allow $1 device_t:dir { getattr read write remove_name };
+ allow $1 device_t:dir { r_dir_perms write remove_name };
allow $1 device_t:lnk_file unlink;
')
@@ -248,7 +248,7 @@ define(`devices_remove_dev_symbolic_links_depend',`
type device_t;
- class dir { getattr read write remove_name };
+ class dir { r_dir_perms write remove_name };
class lnk_file unlink;
')
@@ -259,15 +259,15 @@ define(`devices_remove_dev_symbolic_links_depend',`
define(`devices_manage_dev_symbolic_links',`
requires_block_template(`$0'_depend)
- allow $1 device_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto };
- allow $1 device_t:lnk_file { create read getattr setattr link unlink rename };
+ allow $1 device_t:dir create_dir_perms;
+ allow $1 device_t:lnk_file create_lnk_perms;
')
define(`devices_manage_dev_symbolic_links_depend',`
type device_t;
- class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto };
- class lnk_file { create read getattr setattr link unlink rename };
+ class dir create_dir_perms;
+ class lnk_file create_lnk_perms;
')
########################################
@@ -277,11 +277,11 @@ define(`devices_manage_dev_symbolic_links_depend',`
define(`devices_manage_device_nodes',`
requires_block_template(`$0'_depend)
- allow $1 device_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto };
- allow $1 device_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
- allow $1 device_t:lnk_file { create read getattr setattr link unlink rename };
- allow $1 device_t:{ chr_file blk_file } { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto };
- allow $1 device_node:{ chr_file blk_file } { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto };
+ allow $1 device_t:dir create_dir_perms;
+ allow $1 device_t:sock_file create_file_perms;
+ allow $1 device_t:lnk_file create_lnk_perms;
+ allow $1 device_t:{ chr_file blk_file } create_file_perms;
+ allow $1 device_node:{ chr_file blk_file } create_file_perms;
# these next rules are to satisfy assertions broken by the above lines.
# the permissions hopefully can be cut back a lot
@@ -299,11 +299,11 @@ define(`devices_manage_device_nodes_depend',`
type device_t;
- class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto };
- class sock_file { create ioctl read getattr lock write setattr append link unlink rename };
- class lnk_file { create read getattr setattr link unlink rename };
- class chr_file { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto };
- class blk_file { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto };
+ class dir create_dir_perms;
+ class sock_file create_file_perms;
+ class lnk_file create_lnk_perms;
+ class chr_file create_file_perms;
+ class blk_file create_file_perms;
')
########################################
@@ -818,14 +818,14 @@ define(`devices_read_sound_mixer_levels',`
requires_block_template(`$0'_depend)
allow $1 device_t:dir r_dir_perms;
- allow $1 sound_device_t:chr_file { getattr read ioctl };
+ allow $1 sound_device_t:chr_file r_file_perms;
')
define(`devices_read_sound_mixer_levels_depend',`
type device_t, sound_device_t;
class dir r_dir_perms;
- class chr_file { getattr read ioctl };
+ class chr_file r_file_perms;
')
########################################
@@ -1031,14 +1031,14 @@ define(`devices_use_lvm_control_channel_depend',`
define(`devices_remove_lvm_control_channel',`
requires_block_template(`$0'_depend)
- allow $1 device_t:dir { getattr search read write remove_name };
+ allow $1 device_t:dir { r_dir_perms write remove_name };
allow $1 lvm_control_t:chr_file unlink;
')
define(`devices_remove_lvm_control_channel_depend',`
type device_t, lvm_control_t;
- class dir { getattr search read write remove_name };
+ class dir { r_dir_perms write remove_name };
class chr_file unlink;
')
diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if
index 93ec06a1..6201dbfb 100644
--- a/refpolicy/policy/modules/kernel/filesystem.if
+++ b/refpolicy/policy/modules/kernel/filesystem.if
@@ -302,7 +302,7 @@ define(`fs_execute_cifs_files',`
requires_block_template(`$0'_depend)
allow $1 cifs_t:dir r_dir_perms;
- allow $1 cifs_t:file { getattr read execute execute_no_trans };
+ can_exec($1, cifs_t)
')
define(`fs_execute_cifs_files_depend',`
@@ -616,7 +616,7 @@ define(`fs_execute_nfs_files',`
requires_block_template(`$0'_depend)
allow $1 nfs_t:dir r_dir_perms;
- allow $1 nfs_t:file { getattr read execute execute_no_trans };
+ can_exec($1, nfs_t)
')
define(`fs_execute_nfs_files_depend',`
@@ -692,8 +692,8 @@ define(`fs_manage_nfs_named_pipes',`
define(`fs_manage_nfs_named_pipes_depend',`
type nfs_t;
- class dir { getattr search read write add_name remove_name };
- class fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
+ class dir rw_dir_perms;
+ class fifo_file create_file_perms;
')
########################################
diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if
index 53be1d3b..73c226a9 100644
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
@@ -25,11 +25,7 @@
define(`kernel_make_userland_entrypoint',`
requires_block_template(`$0'_depend)
- allow kernel_t $2:file { getattr read execute };
- allow kernel_t $1:process transition;
- allow $1 kernel_t:fd use;
- type_transition kernel_t $2:process $1;
- dontaudit kernel_t $1:process { noatsecure siginh rlimitinh };
+ domain_auto_trans(kernel_t, $2, $1)
allow $1 kernel_t:fd use;
allow kernel_t $1:fd use;
@@ -821,15 +817,15 @@ define(`kernel_ignore_read_system_state_depend',`
define(`kernel_read_software_raid_state',`
requires_block_template(`$0'_depend)
- allow $1 proc_t:dir { getattr search read };
- allow $1 proc_mdstat_t:file { getattr read };
+ allow $1 proc_t:dir r_dir_perms;
+ allow $1 proc_mdstat_t:file r_file_perms;
')
define(`kernel_read_software_raid_state_depend',`
type proc_t, proc_mdstat_t;
- class dir { search getattr read };
- class file { getattr read };
+ class dir r_dir_perms;
+ class file r_file_perms;
')
########################################
@@ -849,7 +845,7 @@ define(`kernel_read_software_raid_state_depend',`
define(`kernel_get_core_interface_attributes',`
requires_block_template(`$0'_depend)
- allow $1 proc_t:dir { getattr search read };
+ allow $1 proc_t:dir r_dir_perms;
allow $1 proc_kcore_t:file getattr;
')
@@ -906,7 +902,7 @@ define(`kernel_read_messages',`
requires_block_template(`$0'_depend)
allow $1 proc_t:dir search;
- allow $1 proc_kmsg_t:file { getattr read };
+ allow $1 proc_kmsg_t:file r_file_perms;
typeattribute $1 can_receive_kernel_messages;
')
@@ -916,7 +912,7 @@ define(`kernel_read_messages_depend',`
type proc_kmsg_t, proc_t;
class dir search;
- class file { getattr read };
+ class file r_file_perms;
')
########################################
@@ -995,15 +991,15 @@ define(`kernel_read_network_state',`
requires_block_template(`$0'_depend)
allow $1 proc_t:dir search;
- allow $1 proc_net_t:dir { getattr search read };
- allow $1 proc_net_t:file { getattr read };
+ allow $1 proc_net_t:dir r_dir_perms;
+ allow $1 proc_net_t:file r_file_perms;
')
define(`kernel_read_network_state_depend',`
type proc_t, proc_net_t;
- class dir { search getattr read };
- class file { getattr read };
+ class dir r_dir_perms;
+ class file r_file_perms;
')
########################################
@@ -1051,16 +1047,16 @@ define(`kernel_read_device_sysctl',`
requires_block_template(`$0'_depend)
allow $1 proc_t:dir search;
- allow $1 sysctl_t:dir { getattr search read };
- allow $1 sysctl_dev_t:dir { getattr search read };
- allow $1 sysctl_dev_t:file { getattr read };
+ allow $1 sysctl_t:dir r_dir_perms;
+ allow $1 sysctl_dev_t:dir r_dir_perms;
+ allow $1 sysctl_dev_t:file r_file_perms;
')
define(`kernel_read_device_sysctl_depend',`
type proc_t, sysctl_t, sysctl_dev_t;
- class dir { search getattr read };
- class file { getattr read };
+ class dir r_dir_perms;
+ class file r_file_perms;
')
########################################
@@ -1081,15 +1077,15 @@ define(`kernel_modify_device_sysctl',`
requires_block_template(`$0'_depend)
allow $1 proc_t:dir search;
- allow $1 sysctl_t:dir { getattr search read };
- allow $1 sysctl_dev_t:file { getattr read write };
+ allow $1 sysctl_t:dir r_dir_perms;
+ allow $1 sysctl_dev_t:file rw_file_perms;
')
define(`kernel_modify_device_sysctl_depend',`
type proc_t, sysctl_t, sysctl_dev_t;
- class dir { search getattr read };
- class file { getattr read write };
+ class dir r_dir_perms;
+ class file rw_file_perms;
')
########################################
@@ -1111,15 +1107,15 @@ define(`kernel_read_virtual_memory_sysctl',`
requires_block_template(`$0'_depend)
allow $1 proc_t:dir search;
- allow $1 sysctl_t:dir { getattr search read };
- allow $1 sysctl_vm_t:file { getattr read };
+ allow $1 sysctl_t:dir r_dir_perms;
+ allow $1 sysctl_vm_t:file r_file_perms;
')
define(`kernel_read_virtual_memory_sysctl_depend',`
type proc_t, sysctl_t, sysctl_vm_t;
- class dir { search getattr read };
- class file { getattr read };
+ class dir r_dir_perms;
+ class file r_file_perms;
')
########################################
@@ -1140,15 +1136,15 @@ define(`kernel_modify_virtual_memory_sysctl',`
requires_block_template(`$0'_depend)
allow $1 proc_t:dir search;
- allow $1 sysctl_t:dir { getattr search read };
- allow $1 sysctl_vm_t:file { getattr read write };
+ allow $1 sysctl_t:dir r_dir_perms;
+ allow $1 sysctl_vm_t:file rw_file_perms;
')
define(`kernel_modify_virtual_memory_sysctl_depend',`
type proc_t, sysctl_t, sysctl_vm_t;
- class dir { search getattr read };
- class file { getattr read write };
+ class dir r_dir_perms;
+ class file rw_file_perms;
')
########################################
@@ -1197,16 +1193,16 @@ define(`kernel_read_network_sysctl',`
requires_block_template(`$0'_depend)
allow $1 proc_t:dir search;
- allow $1 sysctl_t:dir { getattr search read };
- allow $1 sysctl_net_t:dir { getattr search read };
- allow $1 sysctl_net_t:file { getattr read };
+ allow $1 sysctl_t:dir r_dir_perms;
+ allow $1 sysctl_net_t:dir r_dir_perms;
+ allow $1 sysctl_net_t:file r_file_perms;
')
define(`kernel_read_network_sysctl_depend',`
type proc_t, sysctl_t, sysctl_net_t;
- class dir { search getattr read };
- class file { getattr read };
+ class dir r_dir_perms;
+ class file f_file_perms;
')
########################################
@@ -1228,16 +1224,16 @@ define(`kernel_modify_network_sysctl',`
requires_block_template(`$0'_depend)
allow $1 proc_t:dir search;
- allow $1 sysctl_t:dir { getattr search read };
- allow $1 sysctl_net_t:dir { getattr search read };
- allow $1 sysctl_net_t:file { getattr read write };
+ allow $1 sysctl_t:dir r_dir_perms;
+ allow $1 sysctl_net_t:dir r_dir_perms;
+ allow $1 sysctl_net_t:file rw_file_perms;
')
define(`kernel_modify_network_sysctl_depend',`
type proc_t, sysctl_t, sysctl_net_t;
- class dir { search getattr read };
- class file { getattr read write };
+ class dir r_dir_perms;
+ class file rw_file_perms;
')
########################################
@@ -1258,16 +1254,16 @@ define(`kernel_read_unix_sysctl',`
requires_block_template(`$0'_depend)
allow $1 proc_t:dir search;
- allow $1 sysctl_t:dir { getattr search read };
- allow $1 sysctl_net_t:dir { getattr search read };
- allow $1 sysctl_net_unix_t:file { getattr read };
+ allow $1 sysctl_t:dir r_dir_perms;
+ allow $1 sysctl_net_t:dir r_dir_perms;
+ allow $1 sysctl_net_unix_t:file r_file_perms;
')
define(`kernel_read_net_sysctl_depend',`
type proc_t, sysctl_t, sysctl_net_t, sysctl_net_unix_t;
- class dir { search getattr read };
- class file { getattr read };
+ class dir r_dir_perms;
+ class file r_file_perms;
')
########################################
@@ -1288,16 +1284,16 @@ define(`kernel_modify_unix_sysctl',`
requires_block_template(`$0'_depend)
allow $1 proc_t:dir search;
- allow $1 sysctl_t:dir { getattr search read };
- allow $1 sysctl_net_t:dir { getattr search read };
- allow $1 sysctl_net_unix_t:file { getattr read write };
+ allow $1 sysctl_t:dir r_dir_perms;
+ allow $1 sysctl_net_t:dir r_dir_perms;
+ allow $1 sysctl_net_unix_t:file rw_file_perms;
')
define(`kernel_modify_net_sysctl_depend',`
type proc_t, sysctl_t, sysctl_net_t, sysctl_net_unix_t;
- class dir { search getattr read };
- class file { getattr read write };
+ class dir r_dir_perms;
+ class file rw_file_perms;
')
########################################
@@ -1318,16 +1314,16 @@ define(`kernel_read_hotplug_sysctl',`
requires_block_template(`$0'_depend)
allow $1 proc_t:dir search;
- allow $1 sysctl_t:dir { getattr search read };
- allow $1 sysctl_kernel_t:dir { getattr search read };
- allow $1 sysctl_hotplug_t:file { getattr read };
+ allow $1 sysctl_t:dir r_dir_perms;
+ allow $1 sysctl_kernel_t:dir r_dir_perms;
+ allow $1 sysctl_hotplug_t:file r_file_perms;
')
define(`kernel_read_hotplug_sysctl_depend',`
type proc_t, sysctl_t, sysctl_kernel_t, sysctl_hotplug_t;
- class dir { search getattr read };
- class file { getattr read };
+ class dir r_dir_perms;
+ class file r_file_perms;
')
########################################
@@ -1348,16 +1344,16 @@ define(`kernel_modify_hotplug_sysctl',`
requires_block_template(`$0'_depend)
allow $1 proc_t:dir search;
- allow $1 sysctl_t:dir { getattr search read };
- allow $1 sysctl_kernel_t:dir { getattr search read };
- allow $1 sysctl_hotplug_t:file { getattr read write };
+ allow $1 sysctl_t:dir r_dir_perms;
+ allow $1 sysctl_kernel_t:dir r_dir_perms;
+ allow $1 sysctl_hotplug_t:file rw_file_perms;
')
define(`kernel_modify_hotplug_sysctl_depend',`
type proc_t, sysctl_t, sysctl_kernel_t, sysctl_hotplug_t;
- class dir { search getattr read };
- class file { getattr read write };
+ class dir r_dir_perms;
+ class file rw_file_perms;
')
########################################
@@ -1378,16 +1374,16 @@ define(`kernel_read_modprobe_sysctl',`
requires_block_template(`$0'_depend)
allow $1 proc_t:dir search;
- allow $1 sysctl_t:dir { getattr search read };
- allow $1 sysctl_kernel_t:dir { getattr search read };
- allow $1 sysctl_modprobe_t:file { getattr read };
+ allow $1 sysctl_t:dir r_dir_perms;
+ allow $1 sysctl_kernel_t:dir r_dir_perms;
+ allow $1 sysctl_modprobe_t:file r_file_perms;
')
define(`kernel_read_modprobe_sysctl_depend',`
type proc_t, sysctl_t, sysctl_kernel_t, sysctl_modprobe_t;
- class dir { search getattr read };
- class file { getattr read };
+ class dir r_dir_perms;
+ class file r_file_perms;
')
########################################
@@ -1408,16 +1404,16 @@ define(`kernel_modify_modprobe_sysctl',`
requires_block_template(`$0'_depend)
allow $1 proc_t:dir search;
- allow $1 sysctl_t:dir { getattr search read };
- allow $1 sysctl_kernel_t:dir { getattr search read };
- allow $1 sysctl_modprobe_t:file { getattr read write };
+ allow $1 sysctl_t:dir r_dir_perms;
+ allow $1 sysctl_kernel_t:dir r_dir_perms;
+ allow $1 sysctl_modprobe_t:file rw_file_perms;
')
define(`kernel_modify_modprobe_sysctl_depend',`
type proc_t, sysctl_t, sysctl_kernel_t, sysctl_modprobe_t;
- class dir { search getattr read };
- class file { getattr read write };
+ class dir r_dir_perms;
+ class file rw_file_perms;
')
########################################
@@ -1438,16 +1434,16 @@ define(`kernel_read_kernel_sysctl',`
requires_block_template(`$0'_depend)
allow $1 proc_t:dir search;
- allow $1 sysctl_t:dir { getattr search read };
- allow $1 sysctl_kernel_t:dir { getattr search read };
- allow $1 sysctl_kernel_t:file { getattr read };
+ allow $1 sysctl_t:dir r_dir_perms;
+ allow $1 sysctl_kernel_t:dir r_dir_perms;
+ allow $1 sysctl_kernel_t:file r_file_perms;
')
define(`kernel_read_kernel_sysctl_depend',`
type proc_t, sysctl_t, sysctl_kernel_t;
- class dir { search getattr read };
- class file { getattr read };
+ class dir r_dir_perms;
+ class file r_file_perms;
')
########################################
@@ -1468,16 +1464,16 @@ define(`kernel_modify_kernel_sysctl',`
requires_block_template(`$0'_depend)
allow $1 proc_t:dir search;
- allow $1 sysctl_t:dir { getattr search read };
- allow $1 sysctl_kernel_t:dir { getattr search read };
- allow $1 sysctl_kernel_t:file { getattr read write };
+ allow $1 sysctl_t:dir r_dir_perms;
+ allow $1 sysctl_kernel_t:dir r_dir_perms;
+ allow $1 sysctl_kernel_t:file rw_file_perms;
')
define(`kernel_modify_kernel_sysctl_depend',`
type proc_t, sysctl_t, sysctl_kernel_t;
- class dir { search getattr read };
- class file { getattr read write };
+ class dir r_dir_perms;
+ class file rw_file_perms;
')
########################################
@@ -1498,16 +1494,16 @@ define(`kernel_read_fs_sysctl',`
requires_block_template(`$0'_depend)
allow $1 proc_t:dir search;
- allow $1 sysctl_t:dir { getattr search read };
- allow $1 sysctl_fs_t:dir { getattr search read };
- allow $1 sysctl_fs_t:file { getattr read };
+ allow $1 sysctl_t:dir r_dir_perms;
+ allow $1 sysctl_fs_t:dir r_dir_perms;
+ allow $1 sysctl_fs_t:file r_file_perms;
')
define(`kernel_read_fs_sysctl_depend',`
type proc_t, sysctl_t, sysctl_fs_t;
- class dir { search getattr read };
- class file { getattr read };
+ class dir r_dir_perms;
+ class file r_file_perms;
')
########################################
@@ -1530,16 +1526,16 @@ define(`kernel_modify_fs_sysctl',`
requires_block_template(`$0'_depend)
allow $1 proc_t:dir search;
- allow $1 sysctl_t:dir { getattr search read };
- allow $1 sysctl_fs_t:dir { getattr search read };
- allow $1 sysctl_fs_t:file { getattr read write };
+ allow $1 sysctl_t:dir r_dir_perms;
+ allow $1 sysctl_fs_t:dir r_dir_perms;
+ allow $1 sysctl_fs_t:file rw_file_perms;
')
define(`kernel_modify_fs_sysctl_depend',`
type proc_t, sysctl_t, sysctl_fs_t;
- class dir { search getattr read };
- class file { getattr read write };
+ class dir r_dir_perms;
+ class file rw_file_perms;
')
########################################
@@ -1560,15 +1556,15 @@ define(`kernel_read_irq_sysctl',`
requires_block_template(`$0'_depend)
allow $1 proc_t:dir search;
- allow $1 sysctl_irq_t:dir { getattr search read };
- allow $1 sysctl_irq_t:file { getattr read };
+ allow $1 sysctl_irq_t:dir r_dir_perms;
+ allow $1 sysctl_irq_t:file r_file_perms;
')
define(`kernel_read_irq_sysctl_depend',`
type proc_t, sysctl_irq_t;
- class dir { search getattr read };
- class file { getattr read };
+ class dir r_dir_perms;
+ class file r_file_perms;
')
########################################
@@ -1590,15 +1586,15 @@ define(`kernel_modify_irq_sysctl',`
requires_block_template(`$0'_depend)
allow $1 proc_t:dir search;
- allow $1 sysctl_irq_t:dir { getattr search read };
- allow $1 sysctl_irq_t:file { getattr read write };
+ allow $1 sysctl_irq_t:dir r_dir_perms;
+ allow $1 sysctl_irq_t:file rw_file_perms;
')
define(`kernel_modify_irq_sysctl_depend',`
type proc_t, sysctl_irq_t;
- class dir { search getattr read };
- class file { getattr read write };
+ class dir r_dir_perms;
+ class file rw_file_perms;
')
########################################
@@ -1610,15 +1606,15 @@ define(`kernel_read_rpc_sysctl',`
allow $1 proc_t:dir search;
allow $1 proc_net_t:dir search;
- allow $1 sysctl_rpc_t:dir { getattr search read };
- allow $1 sysctl_rpc_t:file { getattr read };
+ allow $1 sysctl_rpc_t:dir r_dir_perms;
+ allow $1 sysctl_rpc_t:file r_file_perms;
')
define(`kernel_read_rpc_sysctl_depend',`
type proc_t, proc_net_t, sysctl_rpc_t;
- class dir { search getattr read };
- class file { getattr read };
+ class dir r_dir_perms;
+ class file r_file_perms;
')
########################################
@@ -1630,15 +1626,15 @@ define(`kernel_modify_rpc_sysctl',`
allow $1 proc_t:dir search;
allow $1 proc_net_t:dir search;
- allow $1 sysctl_rpc_t:dir { getattr search read };
- allow $1 sysctl_rpc_t:file { getattr read write };
+ allow $1 sysctl_rpc_t:dir r_dir_perms;
+ allow $1 sysctl_rpc_t:file rw_file_perms;
')
define(`kernel_modify_rpc_sysctl_depend',`
type proc_t, proc_net_t, sysctl_rpc_t;
- class dir { search getattr read };
- class file { getattr read write };
+ class dir r_dir_perms;
+ class file rw_file_perms;
')
########################################
@@ -1735,16 +1731,16 @@ define(`kernel_search_hardware_state_dir_depend',`
define(`kernel_read_hardware_state',`
requires_block_template(`$0'_depend)
- allow $1 sysfs_t:dir { getattr search read };
- allow $1 sysfs_t:{ file lnk_file } { getattr read };
+ allow $1 sysfs_t:dir r_dir_perms;
+ allow $1 sysfs_t:{ file lnk_file } r_file_perms;
')
define(`kernel_read_hardware_state_depend',`
type sysfs_t;
- class dir { getattr search read };
- class file { getattr read };
- class lnk_file { getattr read };
+ class dir r_dir_perms;
+ class file r_file_perms;
+ class lnk_file r_file_perms;
')
########################################
@@ -1764,17 +1760,17 @@ define(`kernel_read_hardware_state_depend',`
define(`kernel_modify_hardware_config_option',`
requires_block_template(`$0'_depend)
- allow $1 sysfs_t:dir { getattr search read };
- allow $1 sysfs_t:lnk_file { getattr read };
- allow $1 sysfs_t:file { getattr read write };
+ allow $1 sysfs_t:dir r_dir_perms;
+ allow $1 sysfs_t:lnk_file r_file_perms;
+ allow $1 sysfs_t:file rw_file_perms;
')
define(`kernel_modify_hardware_config_option_depend',`
type sysfs_t;
- class dir { getattr search read };
- class file { getattr read write };
- class lnk_file { getattr read };
+ class dir r_dir_perms;
+ class file rw_file_perms;
+ class lnk_file r_file_perms;
')
########################################
@@ -1937,7 +1933,7 @@ define(`kernel_ignore_get_unlabeled_block_device_attributes_depend',`
define(`kernel_relabel_unlabeled_object',`
requires_block_template(`$0'_depend)
- allow $1 unlabeled_t:{ dir file lnk_file fifo_file sock_file chr_file blk_file } { getattr relabelfrom };
+ allow $1 unlabeled_t:dir_file_class_set { getattr relabelfrom };
')
define(`kernel_relabel_unlabeled_object_depend',`
@@ -1992,17 +1988,17 @@ define(`kernel_search_usb_hardware_state_dir_depend',`
define(`kernel_list_usb_hardware',`
requires_block_template(`$0'_depend)
- allow $1 usbfs_t:dir { getattr search read };
- allow $1 usbfs_t:lnk_file { getattr read };
+ allow $1 usbfs_t:dir r_dir_perms;
+ allow $1 usbfs_t:lnk_file r_file_perms;
allow $1 usbfs_t:file getattr;
')
define(`kernel_list_usb_hardware_depend',`
type usbfs_t;
- class dir { getattr search read };
+ class dir r_dir_perms;
class file getattr;
- class lnk_file { getattr read };
+ class lnk_file r_file_perms;
')
########################################
@@ -2020,16 +2016,16 @@ define(`kernel_list_usb_hardware_depend',`
define(`kernel_read_usb_hardware_state',`
requires_block_template(`$0'_depend)
- allow $1 usbfs_t:dir { getattr search read };
- allow $1 usbfs_t:{ file lnk_file } { getattr read };
+ allow $1 usbfs_t:dir r_dir_perms;
+ allow $1 usbfs_t:{ file lnk_file } r_file_perms;
')
define(`kernel_read_usb_hardware_state_depend',`
type usbfs_t;
- class dir { getattr search read };
- class file { getattr read };
- class lnk_file { getattr read };
+ class dir r_dir_perms;
+ class file r_file_perms;
+ class lnk_file r_file_perms;
')
########################################
@@ -2049,17 +2045,17 @@ define(`kernel_read_usb_hardware_state_depend',`
define(`kernel_modify_usb_hardware_config_option',`
requires_block_template(`$0'_depend)
- allow $1 usbfs_t:dir { getattr search read };
- allow $1 usbfs_t:lnk_file { getattr read };
- allow $1 usbfs_t:file { getattr read write };
+ allow $1 usbfs_t:dir r_dir_perms;
+ allow $1 usbfs_t:lnk_file r_file_perms;
+ allow $1 usbfs_t:file rw_file_perms;
')
define(`kernel_modify_usb_hardware_config_option_depend',`
type usbfs_t;
- class dir { getattr search read };
- class file { getattr read write };
- class lnk_file { getattr read };
+ class dir r_dir_perms;
+ class file rw_file_perms;
+ class lnk_file r_file_perms;
')
###################################################################
@@ -2140,13 +2136,13 @@ define(`kernel_unlabeled_sigchld_from_depend',`
define(`kernel_read_directory_from',`
requires_block_template(`$0'_depend)
- allow kernel_t $1:dir { getattr search read };
+ allow kernel_t $1:dir r_dir_perms;
')
define(`kernel_read_directory_from_depend',`
type kernel_t;
- class dir { getattr search read };
+ class dir r_dir_perms;
')
##
diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te
index 68bfa1ff..9ead1284 100644
--- a/refpolicy/policy/modules/kernel/kernel.te
+++ b/refpolicy/policy/modules/kernel/kernel.te
@@ -165,28 +165,28 @@ allow kernel_t self:capability *;
allow kernel_t unlabeled_t:dir mounton;
# old general_domain_access()
-allow kernel_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write };
-allow kernel_t self:sem { associate getattr setattr create destroy read write unix_read unix_write };
+allow kernel_t self:shm create_shm_perms;
+allow kernel_t self:sem create_sem_perms;
allow kernel_t self:msg { send receive };
-allow kernel_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write };
-allow kernel_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
-allow kernel_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
+allow kernel_t self:msgq create_msgq_perms;
+allow kernel_t self:unix_dgram_socket create_socket_perms;
+allow kernel_t self:unix_stream_socket create_stream_socket_perms;
allow kernel_t self:unix_dgram_socket sendto;
allow kernel_t self:unix_stream_socket connectto;
-allow kernel_t self:fifo_file { read getattr lock ioctl write append };
+allow kernel_t self:fifo_file rw_file_perms;
allow kernel_t self:fd use;
# old general_proc_read_access():
-allow kernel_t proc_t:dir { getattr search read };
-allow kernel_t proc_t:{ lnk_file file } { getattr read };
-allow kernel_t proc_net_t:dir { getattr search read };
-allow kernel_t proc_net_t:file { getattr read };
-allow kernel_t proc_mdstat_t:file { getattr read };
+allow kernel_t proc_t:dir r_dir_perms;
+allow kernel_t proc_t:{ lnk_file file } r_file_perms;
+allow kernel_t proc_net_t:dir r_dir_perms;
+allow kernel_t proc_net_t:file r_file_perms;
+allow kernel_t proc_mdstat_t:file r_file_perms;
allow kernel_t proc_kcore_t:file getattr;
allow kernel_t proc_kmsg_t:file getattr;
-allow kernel_t sysctl_t:dir { getattr search read };
-allow kernel_t sysctl_kernel_t:dir { getattr search read };
-allow kernel_t sysctl_kernel_t:file { getattr read };
+allow kernel_t sysctl_t:dir r_dir_perms;
+allow kernel_t sysctl_kernel_t:dir r_dir_perms;
+allow kernel_t sysctl_kernel_t:file r_file_perms;
# old base_file_read_access():
files_list_home_directories(kernel_t)
@@ -194,8 +194,8 @@ files_read_general_application_resources(kernel_t)
selinux_read_config(kernel_t)
selinux_read_binary_policy(kernel_t)
-allow kernel_t security_t:dir { read search getattr };
-allow kernel_t security_t:file { getattr read write };
+allow kernel_t security_t:dir r_dir_perms;
+allow kernel_t security_t:file rw_file_perms;
allow kernel_t security_t:security load_policy;
auditallow kernel_t security_t:security load_policy;
diff --git a/refpolicy/policy/modules/kernel/terminal.if b/refpolicy/policy/modules/kernel/terminal.if
index 1d3e76d1..33f048d4 100644
--- a/refpolicy/policy/modules/kernel/terminal.if
+++ b/refpolicy/policy/modules/kernel/terminal.if
@@ -33,6 +33,7 @@ define(`term_make_pty_depend',`
##
## An object type that will applied to a pty.
##
+##
##
#
define(`term_make_user_pty',`
@@ -57,6 +58,7 @@ define(`term_make_user_pty_depend',`
##
## An object type that will applied to a pty.
##
+##
##
#
define(`term_make_interactive_pty',`
@@ -105,7 +107,7 @@ define(`term_create_pty',`
requires_block_template(`$0'_depend)
devices_list_device_nodes($1)
- allow $1 ptmx_t:chr_file { getattr read write };
+ allow $1 ptmx_t:chr_file rw_file_perms;
allow $1 devpts_t:dir r_dir_perms;
allow $1 devpts_t:filesystem getattr;
dontaudit $1 bsdpty_device_t:chr_file { getattr read write };
@@ -117,7 +119,7 @@ define(`term_create_pty_depend',`
class filesystem getattr;
class dir r_dir_perms;
- class chr_file { getattr read write };
+ class chr_file rw_file_perms;
')
########################################