aliases

refpolicy/policy/modules/apps/gpg.if

@@ -44,7 +44,7 @@ define(`gpg_per_userdomain_template',`
 
 	# transition from the userdomain to the derived domain
 	allow $1_t $1_gpg_t:process transition;
-	allow $1_t gpg_exec_t:file { getattr read execute };
+	allow $1_t gpg_exec_t:file rx_file_perms;
 	type_transition $1_t gpg_exec_t:process $1_gpg_t;
 	dontaudit $1_t $1_gpg_t:process { noatsecure siginh rlimitinh };
 
@@ -58,12 +58,12 @@ define(`gpg_per_userdomain_template',`
 	# setrlimit is for ulimit -c 0
 	allow $1_gpg_t self:process { setrlimit setcap };
 
-	allow $1_gpg_t self:fifo_file { getattr read write };
-	allow $1_gpg_t self:tcp_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
+	allow $1_gpg_t self:fifo_file rw_file_perms;
+	allow $1_gpg_t self:tcp_socket create_stream_socket_perms;
 
-	allow $1_gpg_t $1_gpg_secret_t:dir { read getattr lock search ioctl add_name remove_name write };
-	allow $1_gpg_t $1_gpg_secret_t:file { create ioctl read getattr lock write setattr append link unlink rename };
-	allow $1_gpg_t $1_gpg_secret_t:lnk_file { create read getattr setattr link unlink rename };
+	allow $1_gpg_t $1_gpg_secret_t:dir rw_dir_perms;
+	allow $1_gpg_t $1_gpg_secret_t:file create_file_perms;
+	allow $1_gpg_t $1_gpg_secret_t:lnk_file create_lnk_perms;
 
 	corenetwork_sendrecv_tcp_on_all_interfaces($1_gpg_t)
 	corenetwork_sendrecv_raw_on_all_interfaces($1_gpg_t)
@@ -159,7 +159,7 @@ define(`gpg_per_userdomain_template',`
 
 	# transition from the gpg domain to the helper domain
 	allow $1_gpg_t $1_gpg_helper_t:process transition;
-	allow $1_gpg_t gpg_helper_exec_t:file { getattr read execute };
+	allow $1_gpg_t gpg_helper_exec_t:file rx_file_perms;
 	type_transition $1_gpg_t gpg_helper_exec_t:process $1_gpg_helper_t;
 	dontaudit $1_gpg_helper_t $1_gpg_t:process { noatsecure siginh rlimitinh };
 
@@ -168,10 +168,10 @@ define(`gpg_per_userdomain_template',`
 	allow $1_gpg_helper_t $1_gpg_t:fifo_file rw_file_perms;
 	allow $1_gpg_helper_t $1_gpg_t:process sigchld;
 
-	allow $1_gpg_helper_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
+	allow $1_gpg_helper_t self:unix_stream_socket create_stream_socket_perms;
 
-	allow $1_gpg_helper_t self:tcp_socket { create connect ioctl read getattr write setattr append bind getopt setopt shutdown };
-	allow $1_gpg_helper_t self:udp_socket { create connect ioctl read getattr write setattr append bind getopt setopt shutdown };
+	allow $1_gpg_helper_t self:tcp_socket { connect connected_socket_perms };
+	allow $1_gpg_helper_t self:udp_socket { connect connected_socket_perms };
 
 	dontaudit $1_gpg_helper_t $1_gpg_secret_t:file read;
 
@@ -224,12 +224,12 @@ define(`gpg_per_userdomain_template',`
 	# rlimit: gpg-agent wants to prevent coredumps
 	allow $1_gpg_agent_t self:process setrlimit;
 
-	allow $1_gpg_agent_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
-	allow $1_gpg_agent_t self:fifo_file { getattr read write };
+	allow $1_gpg_agent_t self:unix_stream_socket create_stream_socket_perms ;
+	allow $1_gpg_agent_t self:fifo_file rw_file_perms;
 
-	allow $1_t $1_gpg_agent_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
-	allow $1_t $1_gpg_agent_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };
-	allow $1_t $1_gpg_agent_tmp_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
+	allow $1_t $1_gpg_agent_tmp_t:dir create_dir_perms;
+	allow $1_t $1_gpg_agent_tmp_t:file create_file_perms;
+	allow $1_t $1_gpg_agent_tmp_t:sock_file create_file_perms;
 	files_create_private_tmp_data($1_gpg_agent_t, $1_gpg_agent_tmp_t, { file sock_file dir })
 
 	domain_use_widely_inheritable_file_descriptors($1_gpg_agent_t)
@@ -256,7 +256,7 @@ define(`gpg_per_userdomain_template',`
 	allow $1_gpg_agent_t proc_t:dir search;
 	allow $1_gpg_agent_t proc_t:lnk_file read;
 
-	allow $1_gpg_agent_t device_t:dir { getattr read };
+	allow $1_gpg_agent_t device_t:dir r_file_perms;
 
 	# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
 	allow $1_gpg_agent_t { home_root_t $1_home_dir_t }:dir search;
@@ -282,7 +282,7 @@ define(`gpg_per_userdomain_template',`
 	# we need to allow gpg-agent to call pinentry so it can get the passphrase 
 	# from the user.
 	allow $1_gpg_agent_t $1_gpg_pinentry_t:process transition;
-	allow $1_gpg_agent_t pinentry_exec_t:file { getattr read execute };
+	allow $1_gpg_agent_t pinentry_exec_t:file rx_file_perms;
 	type_transition $1_gpg_agent_t pinentry_exec_t:process $1_gpg_pinentry_t;
 	dontaudit $1_gpg_agent_t $1_gpg_pinentry_t:process { noatsecure siginh rlimitinh };
 
@@ -292,7 +292,7 @@ define(`gpg_per_userdomain_template',`
 	allow $1_gpg_agent_t $1_gpg_pinentry_t:process sigchld;
 
 	allow $1_gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write };
-	allow $1_gpg_pinentry_t self:fifo_file { getattr read write };
+	allow $1_gpg_pinentry_t self:fifo_file rw_file_perms;
 
 	# read /proc/meminfo
 	kernel_read_system_state($1_gpg_pinentry_t)
@@ -322,21 +322,21 @@ define(`gpg_per_userdomain_template',`
 
 	# for .Xauthority
 	allow $1_gpg_pinentry_t $1_home_dir_t:dir { getattr search };
-	allow $1_gpg_pinentry_t $1_home_t:file { getattr read };
+	allow $1_gpg_pinentry_t $1_home_t:file r_file_perms;
 	# wants to put some lock files into the user home dir, seems to work fine without
 	dontaudit $1_gpg_pinentry_t $1_home_t:dir { read write };
 	dontaudit $1_gpg_pinentry_t $1_home_t:file write;
 
 	if (use_nfs_home_dirs) {
 		allow $1_gpg_pinentry_t nfs_t:dir { getattr search };
-		allow $1_gpg_pinentry_t nfs_t:file { getattr read };
+		allow $1_gpg_pinentry_t nfs_t:file r_file_perms;
 		dontaudit $1_gpg_pinentry_t nfs_t:dir { read write };
 		dontaudit $1_gpg_pinentry_t nfs_t:file write;
 	}
 
 	if (use_samba_home_dirs) {
 		allow $1_gpg_pinentry_t cifs_t:dir { getattr search };
-		allow $1_gpg_pinentry_t cifs_t:file { getattr read };
+		allow $1_gpg_pinentry_t cifs_t:file r_file_perms;
 		dontaudit $1_gpg_pinentry_t cifs_t:dir { read write };
 		dontaudit $1_gpg_pinentry_t cifs_t:file write;
 	}

refpolicy/policy/modules/kernel/kernel.if

@@ -10,9 +10,6 @@
 ##		Gives kernel an entrypoint to the caller via
 ##		the entrypoint type.
 ## 	</description>
-## 	<securitydesc>
-##		...
-## 	</securitydesc>
 ## 	<parameter name="domain">
 ##		The process type entered by kernel.
 ## 	</parameter>
@@ -47,10 +44,6 @@ define(`kernel_make_userland_entrypoint_depend',`
 ## 		Allows the kernel to share state information with
 ## 		the caller.
 ## 	</description>
-## 	<securitydesc>
-## 		Gives a type access to state information about
-## 		kernel processes
-## 	</securitydesc>
 ## 	<parameter name="domain">
 ## 		The type of the process with which to share state information.
 ## 	</parameter>
@@ -73,9 +66,6 @@ define(`kernel_share_state_depend',`
 ## 	<description>
 ## 		Permits caller to use kernel file descriptors.
 ## 	</description>
-## 	<securitydesc>
-## 		Permits use of kernel file descriptors.
-## 	</securitydesc>
 ## 	<parameter name="domain">
 ## 		The type of the process using the descriptors.
 ## 	</parameter>
@@ -99,10 +89,6 @@ define(`kernel_use_file_descriptors_depend',`
 ## 		Do not audit attempts by the caller to use
 ## 		kernel file descriptors.
 ## 	</description>
-## 	<securitydesc>
-## 		Causes attempts to use kernel file descriptors
-## 		to not be audited for caller.
-## 	</securitydesc>
 ## 	<parameter name="domain">
 ## 		The type of process not to audit.
 ##	</parameter>
@@ -126,10 +112,6 @@ define(`kernel_ignore_use_file_descriptors_depend',`
 ## 		Allows the kernel to mount filesystems on
 ## 		the caller.
 ##	</description>
-##	<securitydesc>
-## 		Givers kernel permission to mount on directories
-## 		of the calling type.
-##	</securitydesc>
 ##	<parameter name="mountpoint">
 ##		The type of the directory to use as a mountpoint.
 ##	</parameter>
@@ -153,9 +135,6 @@ define(`kernel_make_root_fs_mountpoint_depend',`
 ## 		Makes caller an exception to the constraint preventing
 ## 		changing of user identity.
 ##	</description>
-##	<securitydesc>
-## 		Allows changing of user identity in context of the calling process.
-##	</securitydesc>
 ##	<parameter name="domain">
 ##		The process type to make an exception to the constraint.
 ##	</parameter>
@@ -177,9 +156,6 @@ define(`kernel_make_process_identity_change_constraint_exception_depend',`
 ## 		Makes caller an exception to the constraint preventing
 ## 		changing of role.
 ##	</description>
-##	<securitydesc>
-## 		Allows changing of role in the context of the calling process.
-##	</securitydesc>
 ##	<parameter name="domain">
 ##		The process type to make an exception to the constraint.
 ##	</parameter>
@@ -201,9 +177,6 @@ define(`kernel_make_role_change_constraint_exception_depend',`
 ## 		Makes caller an exception to the constraint preventing 
 ## 		changing the user identity in object contexts.
 ##	</description>
-##	<securitydesc>
-## 		Allows caller to change user identities on objects
-##	</securitydesc>
 ##	<parameter name="domain">
 ##		The process type to make an exception to the constraint.
 ##	</parameter>
@@ -225,9 +198,6 @@ define(`kernel_make_object_identity_change_constraint_exception_depend',`
 ##	<description>
 ## 		Allows caller to load kernel modules
 ##	</description>
-##	<securitydesc>
-## 		Allows loading of kernel modules. 
-##	</securitydesc>
 ##	<parameter name="domain">
 ##		The process type to allow to load kernel modules.
 ##	</parameter>
@@ -253,9 +223,6 @@ define(`kernel_load_module_depend',`
 ## 		Allows the caller to get the mode of policy enforcement
 ## 		(enforcing or permissive mode).
 ##	</description>
-##	<securitydesc>
-## 		Gives caller access to system state data.
-##	</securitydesc>
 ##	<parameter name="domain">
 ##		The process type to allow to get the enforcing mode.
 ##	</parameter>
@@ -281,9 +248,6 @@ define(`kernel_get_selinux_enforcement_mode_depend',`
 ## 		Allow caller to set the mode of policy enforcement
 ## 		(enforcing or permissive mode).
 ##	</description>
-##	<securitydesc>
-## 		Caller becomes able to disable enforcement of policy.
-##	</securitydesc>
 ##	<parameter name="domain">
 ##		The process type to allow to set the enforcement mode.
 ##	</parameter>

refpolicy/policy/modules/system/logging.if

@@ -46,13 +46,13 @@ define(`logging_send_system_log_message',`
 	requires_block_template(`$0'_depend)
 
 	allow $1 devlog_t:lnk_file read;
-	allow $1 devlog_t:sock_file { ioctl read getattr lock write append };
+	allow $1 devlog_t:sock_file rw_file_perms;
 
 	# the type of socket depends on the syslog daemon
 	allow $1 syslogd_t:unix_dgram_socket sendto;
 	allow $1 syslogd_t:unix_stream_socket connectto;
-	allow $1 self:unix_dgram_socket { create read getattr write setattr append bind connect getopt setopt shutdown };
-	allow $1 self:unix_stream_socket { create read getattr write setattr append bind connect getopt setopt shutdown };
+	allow $1 self:unix_dgram_socket create_socket_perms;
+	allow $1 self:unix_stream_socket create_socket_perms;
 
 	# cjp: this should most likely be removed:
 	terminal_use_console($1)
@@ -61,9 +61,9 @@ define(`logging_send_system_log_message',`
 define(`logging_send_system_log_message_depend',`
 	type syslogd_t, devlog_t;
 
-	class sock_file { ioctl read getattr lock write append };
-	class unix_dgram_socket { create read getattr write setattr append bind connect getopt setopt shutdown sendto };
-	class unix_stream_socket { create read getattr write setattr append bind connect getopt setopt shutdown connectto };
+	class sock_file rw_file_perms;
+	class unix_dgram_socket { create_socket_perms sendto };
+	class unix_stream_socket { create_socket_perms connectto };
 ')
 
 ########################################
@@ -115,7 +115,7 @@ define(`logging_append_all_logs',`
 	requires_block_template(`$0'_depend)
 
 	files_search_system_state_data_directory($1)
-	allow $1 var_log_t:dir { getattr search read };
+	allow $1 var_log_t:dir r_dir_perms;
 	allow $1 logfile:file { getattr append };
 ')
 
@@ -124,7 +124,7 @@ define(`logging_append_all_logs_depend',`
 
 	type var_log_t;
 
-	class dir { getattr search read };
+	class dir r_dir_perms;
 	class file { getattr append };
 ')
 
@@ -136,8 +136,8 @@ define(`logging_read_all_logs',`
 	requires_block_template(`$0'_depend)
 
 	files_search_system_state_data_directory($1)
-	allow $1 var_log_t:dir { getattr search read };
-	allow $1 logfile:file { getattr read };
+	allow $1 var_log_t:dir r_dir_perms;
+	allow $1 logfile:file r_file_perms;
 ')
 
 define(`logging_read_all_logs_depend',`
@@ -145,8 +145,8 @@ define(`logging_read_all_logs_depend',`
 
 	type var_log_t;
 
-	class dir { getattr search read };
-	class file { getattr read };
+	class dir r_dir_perms;
+	class file r_file_perms;
 ')
 
 #######################################
@@ -157,15 +157,15 @@ define(`logging_read_system_logs',`
 	requires_block_template(`$0'_depend)
 
 	files_search_system_state_data_directory($1)
-	allow $1 var_log_t:dir { getattr search read };
-	allow $1 var_log_t:file { getattr read };
+	allow $1 var_log_t:dir r_dir_perms;
+	allow $1 var_log_t:file r_file_perms;
 ')
 
 define(`logging_read_system_logs_depend',`
 	type var_log_t;
 
-	class dir { getattr search read };
-	class file { getattr read };
+	class dir r_dir_perms;
+	class file r_file_perms;
 ')
 
 #######################################
@@ -176,14 +176,14 @@ define(`logging_write_system_logs',`
 	requires_block_template(`$0'_depend)
 
 	files_search_system_state_data_directory($1)
-	allow $1 var_log_t:dir { getattr search read };
+	allow $1 var_log_t:dir r_dir_perms;
 	allow $1 var_log_t:file { getattr write };
 ')
 
 define(`logging_write_system_logs_depend',`
 	type var_log_t;
 
-	class dir { getattr search read };
+	class dir r_dir_perms;
 	class file { getattr write };
 ')
 
@@ -195,15 +195,15 @@ define(`logging_modify_system_logs',`
 	requires_block_template(`$0'_depend)
 
 	files_search_system_state_data_directory($1)
-	allow $1 var_log_t:dir { getattr search read };
-	allow $1 var_log_t:file { getattr read write append };
+	allow $1 var_log_t:dir r_dir_perms;
+	allow $1 var_log_t:file rw_file_perms;
 ')
 
 define(`logging_modify_system_logs_depend',`
 	type var_log_t;
 
-	class dir { getattr search read };
-	class file { getattr read write append };
+	class dir r_dir_perms;
+	class file rw_file_perms;
 ')
 
 ## </module>

refpolicy/policy/modules/system/logging.te

@@ -53,9 +53,9 @@ allow auditd_t self:capability { audit_write audit_control };
 dontaudit auditd_t self:capability sys_tty_config;
 allow auditd_t self:netlink_audit_socket { bind create getattr nlmsg_read nlmsg_write read write };
 
-allow auditd_t auditd_log_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+allow auditd_t auditd_log_t:file create_file_perms;
 
-allow auditd_t auditd_var_run_t:file { getattr create read write append setattr unlink };
+allow auditd_t auditd_var_run_t:file create_file_perms;
 files_create_daemon_runtime_data(auditd_t,auditd_var_run_t)
 
 kernel_read_kernel_sysctl(auditd_t)
@@ -158,11 +158,11 @@ dontaudit syslogd_t self:capability sys_tty_config;
 allow syslogd_t self:process signal_perms;
 
 # receive messages to be logged
-allow syslogd_t self:unix_dgram_socket { create read getattr write setattr append bind connect getopt setopt shutdown };
-allow syslogd_t self:unix_stream_socket { create read getattr write setattr append bind connect getopt setopt shutdown listen accept };
+allow syslogd_t self:unix_dgram_socket create_socket_perms;
+allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
 allow syslogd_t self:unix_dgram_socket sendto;
-allow syslogd_t self:fifo_file { getattr read write ioctl lock };
-allow syslogd_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
+allow syslogd_t self:fifo_file rw_file_perms;
+allow syslogd_t self:udp_socket { connected_socket_perms connect };
 
 # create/append log files.
 allow syslogd_t var_log_t:dir rw_dir_perms;
@@ -176,14 +176,14 @@ allow syslogd_t syslogd_var_run_t:file create_file_perms;
 files_create_daemon_runtime_data(syslogd_t,syslogd_var_run_t,file)
 
 # Create and bind to /dev/log or /var/run/log.
-allow syslogd_t devlog_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
+allow syslogd_t devlog_t:sock_file create_file_perms;
 files_create_daemon_runtime_data(syslogd_t,devlog_t,sock_file)
 # I belive these are not needed:
 allow syslogd_t devlog_t:unix_stream_socket name_bind;
 allow syslogd_t devlog_t:unix_dgram_socket name_bind;
 
 # manage pid file
-allow syslogd_t syslogd_var_run_t:file { getattr create read write append setattr unlink };
+allow syslogd_t syslogd_var_run_t:file create_file_perms;
 files_create_daemon_runtime_data(syslogd_t,syslogd_var_run_t)
 
 kernel_read_hardware_state(syslogd_t)
@@ -234,7 +234,7 @@ files_ignore_search_isid_type_dir(syslogd_t)
 #dontaudit syslogd_t unlabeled_t:file read;
 #dontaudit syslogd_t { userpty_type devpts_t }:chr_file getattr;
 allow syslogd_t self:capability net_admin;
-allow syslogd_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read };
+allow syslogd_t self:netlink_route_socket r_netlink_socket_perms;
 
 ifdef(`klogd.te', `', `
 	# Allow access to /proc/kmsg for syslog-ng

refpolicy/policy/modules/system/mount.if

@@ -14,7 +14,7 @@
 define(`mount_transition',`
 	requires_block_template(`$0'_depend)
 
-	allow $1 mount_exec_t:file { getattr read execute };
+	allow $1 mount_exec_t:file rx_file_perms;
 	allow $1 mount_t:process transition;
 	type_transition $1 mount_exec_t:process mount_t;
 	dontaudit $1 mount_t:process { noatsecure siginh rlimitinh };
@@ -28,7 +28,7 @@ define(`mount_transition',`
 define(`mount_transition_depend',`
 	type mount_t, mount_exec_t;
 
-	class file { getattr read execute };
+	class file rx_file_perms;
 	class process { transition noatsecure siginh rlimitinh sigchld };
 	class fd use;
 	class fifo_file rw_file_perms;
@@ -57,13 +57,13 @@ define(`mount_transition_add_role_use_terminal',`
 
 	mount_transition($1)
 	role $2 types mount_t;
-	allow mount_t $3:chr_file { getattr read write ioctl };
+	allow mount_t $3:chr_file rw_file_perms;
 ')
 
 define(`mount_transition_add_role_use_terminal_depend',`
 	type mount_t;
 
-	class chr_file { getattr read write ioctl };
+	class chr_file rw_file_perms;
 ')
 
 ########################################
@@ -102,13 +102,13 @@ define(`mount_use_file_descriptors_depend',`
 define(`mount_send_nfs_client_request',`
 	requires_block_template(`$0'_depend)
 
-	allow $1 mount_t:udp_socket ioctl read getattr write setattr append bind connect getopt setopt shutdown;
+	allow $1 mount_t:udp_socket rw_socket_perms;
 ')
 
 define(`mount_send_nfs_client_request_depend',`
 	type mount_t;
 
-	class udp_socket { ioctl read getattr write setattr append bind connect getopt setopt shutdown };
+	class udp_socket rw_socket_perms;
 ')
 
 ## </module>

refpolicy/policy/modules/system/mount.te

@@ -14,8 +14,8 @@ files_make_temporary_file(mount_tmp_t)
 
 allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown };
 
-allow mount_t mount_tmp_t:file { getattr create read setattr write setattr unlink };
-allow mount_t mount_tmp_t:dir { getattr search create read setattr write setattr unlink rmdir };
+allow mount_t mount_tmp_t:file create_file_perms;
+allow mount_t mount_tmp_t:dir create_dir_perms;
 
 kernel_read_system_state(mount_t)
 kernel_ignore_use_file_descriptors(mount_t)
@@ -113,7 +113,7 @@ files_make_mountpoint(var_lib_nfs_t)
 
 # TODO: Probably need a macro for reading/unlinking files
 # for when /etc/mtab loses its type
-allow mount_t file_t:file { getattr read unlink };
+allow mount_t file_t:file { r_file_perms unlink };
 
 ifdef(`gnome-pty-helper.te', `
 allow mount_t sysadm_gph_t:fd use;

refpolicy/policy/modules/system/selinux.if

@@ -14,7 +14,7 @@
 define(`selinux_checkpolicy_transition',`
 	requires_block_template(`$0'_depend)
 
-	allow $1 checkpolicy_exec_t:file { getattr read execute };
+	allow $1 checkpolicy_exec_t:file rx_file_perms;
 	allow $1 checkpolicy_t:process transition;
 	type_transition $1 checkpolicy_exec_t:process checkpolicy_t;
 	dontaudit $1 checkpolicy_t:process { noatsecure siginh rlimitinh };
@@ -28,7 +28,7 @@ define(`selinux_checkpolicy_transition',`
 define(`selinux_checkpolicy_transition_depend',`
 	type checkpolicy_t, checkpolicy_exec_t;
 
-	class file { getattr read execute };
+	class file rx_file_perms
 	class process { transition noatsecure siginh rlimitinh sigchld sigchld };
 	class fd use;
 	class fifo_file rw_file_perms;
@@ -74,13 +74,13 @@ define(`selinux_checkpolicy_transition_add_role_use_terminal_depend',`
 define(`selinux_checkpolicy_execute',`
 	requires_block_template(`$0'_depend)
 
-	allow $1 checkpolicy_exec_t:file { getattr read execute execute_no_trans };
+	can_exec($1,checkpolicy_exec_t)
 ')
 
 define(`selinux_checkpolicy_execute_depend',`
 	type checkpolicy_exec_t;
 
-	class file { getattr read execute execute_no_trans };
+	class file { rx_file_perms execute_no_trans };
 ')
 
 #######################################
@@ -96,7 +96,7 @@ define(`selinux_checkpolicy_execute_depend',`
 define(`selinux_load_policy_transition',`
 	requires_block_template(`$0'_depend)
 
-	allow $1 load_policy_exec_t:file { getattr read execute };
+	allow $1 load_policy_exec_t:file rx_file_perms;
 	allow $1 load_policy_t:process transition;
 	type_transition $1 load_policy_exec_t:process load_policy_t;
 	dontaudit $1 load_policy_t:process { noatsecure siginh rlimitinh };
@@ -110,7 +110,7 @@ define(`selinux_load_policy_transition',`
 define(`selinux_load_policy_transition_depend',`
 	type load_policy_t, load_policy_exec_t;
 
-	class file { getattr read execute };
+	class file rx_file_perms;
 	class process { transition noatsecure siginh rlimitinh sigchld };
 	class fd use;
 	class fifo_file rw_file_perms;
@@ -156,13 +156,13 @@ define(`selinux_load_policy_transition_add_role_use_terminal_depend',`
 define(`selinux_load_policy_execute',`
 	requires_block_template(`$0'_depend)
 
-	allow $1 load_policy_exec_t:file { getattr read execute execute_no_trans };
+	can_exec($1,load_policy_exec_t)
 ')
 
 define(`selinux_load_policy_execute_depend',`
 	type load_policy_exec_t;
 
-	class file { getattr read execute execute_no_trans };
+	class file { rx_file_perms execute_no_trans };
 ')
 
 #######################################
@@ -172,13 +172,13 @@ define(`selinux_load_policy_execute_depend',`
 define(`selinux_read_load_policy_binary',`
 	requires_block_template(`$0'_depend)
 
-	allow $1 load_policy_exec_t:file { getattr read };
+	allow $1 load_policy_exec_t:file r_file_perms;
 ')
 
 define(`selinux_read_load_policy_binary_depend',`
 	type load_policy_exec_t;
 
-	class file { getattr read };
+	class file r_file_perms
 ')
 
 #######################################
@@ -194,7 +194,7 @@ define(`selinux_read_load_policy_binary_depend',`
 define(`selinux_newrole_transition',`
 	requires_block_template(`$0'_depend)
 
-	allow $1 newrole_exec_t:file { getattr read execute };
+	allow $1 newrole_exec_t:file rx_file_perms;
 	allow $1 newrole_t:process transition;
 	type_transition $1 newrole_exec_t:process newrole_t;
 	dontaudit $1 newrole_t:process { noatsecure siginh rlimitinh };
@@ -208,7 +208,7 @@ define(`selinux_newrole_transition',`
 define(`selinux_newrole_transition_depend',`
 	type newrole_t, newrole_exec_t;
 
-	class file { getattr read execute };
+	class file rx_file_perms;
 	class process { transition noatsecure siginh rlimitinh sigchld };
 	class fd use;
 	class fifo_file rw_file_perms;
@@ -253,13 +253,13 @@ define(`selinux_newrole_transition_add_role_use_terminal_depend',`
 define(`selinux_newrole_execute',`
 	requires_block_template(`$0'_depend)
 
-	allow $1 newrole_exec_t:file { getattr read execute execute_no_trans };
+	can_exec($1,newrole_exec_t)
 ')
 
 define(`selinux_newrole_execute_depend',`
 	type newrole_t, newrole_exec_t;
 
-	class file { getattr read execute execute_no_trans };
+	class file { rx_file_perms execute_no_trans };
 ')
 
 ########################################
@@ -330,7 +330,7 @@ define(`selinux_newrole_use_file_descriptors_depend',`
 define(`selinux_restorecon_transition',`
 	requires_block_template(`$0'_depend)
 
-	allow $1 restorecon_exec_t:file { getattr read execute };
+	allow $1 restorecon_exec_t:file rx_file_perms;
 	allow $1 restorecon_t:process transition;
 	type_transition $1 restorecon_exec_t:process restorecon_t;
 	dontaudit $1 restorecon_t:process { noatsecure siginh rlimitinh };
@@ -344,7 +344,7 @@ define(`selinux_restorecon_transition',`
 define(`selinux_restorecon_transition_depend',`
 	type restorecon_t, restorecon_exec_t;
 
-	class file { getattr read execute };
+	class file rx_file_perms;
 	class process { transition noatsecure siginh rlimitinh sigchld };
 	class fd use;
 	class fifo_file rw_file_perms;
@@ -388,13 +388,13 @@ define(`selinux_restorecon_transition_add_role_use_terminal_depend',`
 #
 define(`selinux_restorecon_execute',`
 requires_block_template(`$0'_depend)
-allow $1 restorecon_exec_t:file { getattr read execute execute_no_trans };
+	can_exec($1,restorecon_exec_t)
 ')
 
 define(`selinux_restorecon_execute_depend',`
 	type restorecon_t, restorecon_exec_t;
 
-	class file { getattr read execute execute_no_trans };
+	class file { rx_file_perms execute_no_trans };
 ')
 
 ########################################
@@ -410,7 +410,7 @@ define(`selinux_restorecon_execute_depend',`
 define(`selinux_run_init_transition',`
 	requires_block_template(`$0'_depend)
 
-	allow $1 run_init_exec_t:file { getattr read execute };
+	allow $1 run_init_exec_t:file rx_file_perms;
 	allow $1 run_init_t:process transition;
 	type_transition $1 run_init_exec_t:process run_init_t;
 	dontaudit $1 run_init_t:process { noatsecure siginh rlimitinh };
@@ -424,7 +424,7 @@ define(`selinux_run_init_transition',`
 define(`selinux_run_init_transition_depend',`
 	type run_init_t, run_init_exec_t;
 
-	class file { getattr read execute };
+	class file rx_file_perms;
 	class process { transition noatsecure siginh rlimitinh sigchld };
 	class fd use;
 	class fifo_file rw_file_perms;
@@ -491,7 +491,7 @@ define(`selinux_run_init_use_file_descriptors_depend',`
 define(`selinux_setfiles_transition',`
 	requires_block_template(`$0'_depend)
 
-	allow $1 setfiles_exec_t:file { getattr read execute };
+	allow $1 setfiles_exec_t:file rx_file_perms;
 	allow $1 setfiles_t:process transition;
 	type_transition $1 setfiles_exec_t:process setfiles_t;
 	dontaudit $1 setfiles_t:process { noatsecure siginh rlimitinh };
@@ -505,7 +505,7 @@ define(`selinux_setfiles_transition',`
 define(`selinux_setfiles_transition_depend',`
 	type setfiles_t, setfiles_exec_t;
 
-	class file { getattr read execute };
+	class file rx_file_perms;
 	class process { transition noatsecure siginh rlimitinh sigchld };
 	class fd use;
 	class fifo_file rw_file_perms;
@@ -550,13 +550,13 @@ define(`selinux_setfiles_transition_add_role_use_terminal_depend',`
 define(`selinux_setfiles_execute',`
 	requires_block_template(`$0'_depend)
 
-	allow $1 setfiles_exec_t:file { getattr read execute execute_no_trans };
+	can_exec($1,setfiles_exec_t)
 ')
 
 define(`selinux_setfiles_execute_depend',`
 	type setfiles_exec_t;
 
-	class file { getattr read execute execute_no_trans };
+	class file { rx_file_perms execute_no_trans };
 ')
 
 ########################################
@@ -566,15 +566,15 @@ define(`selinux_setfiles_execute_depend',`
 define(`selinux_read_config',`
 	requires_block_template(`$0'_depend)
 
-	allow $1 selinux_config_t:dir { getattr search read };
-	allow $1 selinux_config_t:file { getattr read };
+	allow $1 selinux_config_t:dir r_dir_perms;
+	allow $1 selinux_config_t:file r_file_perms;
 ')
 
 define(`selinux_read_config_depend',`
 	type selinux_config_t;
 
-	class dir { getattr search read };
-	class file { getattr read };
+	class dir r_dir_perms;
+	class file r_file_perms;
 ')
 
 ########################################
@@ -585,15 +585,15 @@ define(`selinux_read_default_contexts',`
 	requires_block_template(`$0'_depend)
 
 	allow $1 selinux_config_t:dir search;
-	allow $1 default_context_t:dir { getattr search read };
-	allow $1 default_context_t:file { getattr read };
+	allow $1 default_context_t:dir r_dir_perms;
+	allow $1 default_context_t:file r_file_perms;
 ')
 
 define(`selinux_read_default_contexts_depend',`
 	type selinux_config_t, default_context_t;
 
-	class dir { getattr search read };
-	class file { getattr read };
+	class dir r_dir_perms;
+	class file r_file_perms;
 ')
 
 ########################################
@@ -604,15 +604,15 @@ define(`selinux_read_file_contexts',`
 	requires_block_template(`$0'_depend)
 
 	allow $1 selinux_config_t:dir search;
-	allow $1 file_context_t:dir { getattr search read };
-	allow $1 file_context_t:file { getattr read };
+	allow $1 file_context_t:dir r_dir_perms;
+	allow $1 file_context_t:file r_file_perms;
 ')
 
 define(`selinux_read_file_contexts_depend',`
 	type selinux_config_t, file_context_t;
 
-	class dir { getattr search read };
-	class file { getattr read };
+	class dir r_dir_perms;
+	class file r_file_perms;
 ')
 
 ########################################
@@ -622,15 +622,15 @@ define(`selinux_read_file_contexts_depend',`
 define(`selinux_read_binary_policy',`
 	requires_block_template(`$0'_depend)
 
-	allow $1 policy_config_t:dir { getattr search read };
-	allow $1 policy_config_t:file { getattr read };
+	allow $1 policy_config_t:dir r_dir_perms;
+	allow $1 policy_config_t:file r_file_perms;
 ')
 
 define(`selinux_read_binary_policy_depend',`
 	type policy_config_t;
 
-	class dir { getattr search read };
-	class file { getattr read };
+	class dir r_dir_perms;
+	class file r_file_perms;
 ')
 
 ########################################
@@ -640,7 +640,7 @@ define(`selinux_read_binary_policy_depend',`
 define(`selinux_write_binary_policy',`
 	requires_block_template(`$0'_depend)
 
-	allow $1 policy_config_t:dir { getattr search read write add_name remove_name };
+	allow $1 policy_config_t:dir rw_dir_perms;
 	allow $1 policy_config_t:file { getattr create write unlink };
 	typeattribute $1 can_write_binary_policy;
 ')
@@ -650,7 +650,7 @@ define(`selinux_write_binary_policy_depend',`
 
 	type policy_config_t;
 
-	class dir { getattr search read write add_name remove_name };
+	class dir rw_dir_perms;
 	class file { getattr create write unlink };
 ')
 
@@ -688,8 +688,8 @@ define(`selinux_manage_binary_policy',`
 
 	# FIXME: search etc_t:dir
 	allow $1 selinux_config_t:dir search;
-	allow $1 policy_config_t:dir { getattr search read };
-	allow $1 policy_config_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+	allow $1 policy_config_t:dir r_dir_perms;
+	allow $1 policy_config_t:file create_file_perms;
 	typeattribute $1 can_write_binary_policy;
 ')
 
@@ -697,8 +697,8 @@ define(`selinux_manage_binary_policy_depend',`
 	attribute can_write_binary_policy;
 
 	type selinux_config_t, policy_config_t;
-	class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
-	class file { create ioctl read getattr lock write setattr append link unlink rename };
+	class dir create_dir_perms;
+	class file create_file_perms;
 ')
 
 ########################################
@@ -710,15 +710,15 @@ define(`selinux_read_source_policy',`
 
 	# FIXME: search etc_t:dir
 	allow $1 selinux_config_t:dir search;
-	allow $1 policy_src_t:dir { getattr search read };
-	allow $1 policy_src_t:file { getattr read };
+	allow $1 policy_src_t:dir r_dir_perms;
+	allow $1 policy_src_t:file r_file_perms;
 ')
 
 define(`selinux_read_source_policy_depend',`
 	type selinux_config_t, policy_src_t;
 
-	class dir { getattr search read };
-	class file { getattr read };
+	class dir r_dir_perms;
+	class file r_file_perms;
 ')
 
 ########################################
@@ -730,15 +730,15 @@ define(`selinux_manage_source_policy',`
 
 	# FIXME: search etc_t:dir
 	allow $1 selinux_config_t:dir search;
-	allow $1 policy_src_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
-	allow $1 policy_src_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+	allow $1 policy_src_t:dir create_dir_perms;
+	allow $1 policy_src_t:file create_file_perms;
 ')
 
 define(`selinux_manage_source_policy_depend',`
 	type selinux_config_t, policy_src_t;
 
-	class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
-	class file { create ioctl read getattr lock write setattr append link unlink rename };
+	class dir create_dir_perms;
+	class file create_file_perms;
 ')
 
 ## </module>

refpolicy/policy/modules/system/selinux.te

@@ -98,17 +98,17 @@ domain_make_entrypoint_file(setfiles_t,setfiles_exec_t)
 allow checkpolicy_t self:capability dac_override;
 
 # able to create and modify binary policy files
-allow checkpolicy_t policy_config_t:dir { read getattr lock search ioctl add_name remove_name write };
-allow checkpolicy_t policy_config_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+allow checkpolicy_t policy_config_t:dir rw_dir_perms;
+allow checkpolicy_t policy_config_t:file create_file_perms;
 
 # allow test policies to be created in src directories
-allow checkpolicy_t policy_src_t:dir { getattr search read write add_name remove_name };
+allow checkpolicy_t policy_src_t:dir rw_dir_perms;
 type_transition checkpolicy_t policy_src_t:file policy_config_t;
 
 # only allow read of policy source files
-allow checkpolicy_t policy_src_t:dir { getattr search read };
-allow checkpolicy_t policy_src_t:file { getattr read ioctl };
-allow checkpolicy_t policy_src_t:lnk_file { getattr read };
+allow checkpolicy_t policy_src_t:dir r_dir_perms;
+allow checkpolicy_t policy_src_t:file r_file_perms;
+allow checkpolicy_t policy_src_t:lnk_file r_file_perms;
 allow checkpolicy_t selinux_config_t:dir search;
 
 fs_get_persistent_fs_attributes(checkpolicy_t)
@@ -142,12 +142,12 @@ allow load_policy_t self:capability dac_override;
 
 # only allow read of policy config files
 allow load_policy_t policy_src_t:dir search;
-allow load_policy_t policy_config_t:dir { getattr search read };
-allow load_policy_t policy_config_t:{ file lnk_file sock_file fifo_file } { getattr read };
+allow load_policy_t policy_config_t:dir r_dir_perms;
+allow load_policy_t policy_config_t:notdevfile_class_set r_file_perms;
 
-allow load_policy_t selinux_config_t:dir { getattr read search };
-allow load_policy_t selinux_config_t:file { read getattr };
-allow load_policy_t selinux_config_t:lnk_file { getattr read };
+allow load_policy_t selinux_config_t:dir r_dir_perms;
+allow load_policy_t selinux_config_t:file r_file_perms;
+allow load_policy_t selinux_config_t:lnk_file r_file_perms;
 
 kernel_get_selinuxfs_mount_point(load_policy_t)
 kernel_load_selinux_policy(load_policy_t)
@@ -182,17 +182,17 @@ allow newrole_t self:capability { setuid setgid net_bind_service dac_override };
 allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
 allow newrole_t self:process setexec;
 allow newrole_t self:fd use;
-allow newrole_t self:fifo_file { read getattr lock ioctl write append };
+allow newrole_t self:fifo_file rw_file_perms;
 allow newrole_t self:unix_dgram_socket sendto;
 allow newrole_t self:unix_stream_socket connectto;
-allow newrole_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write };
-allow newrole_t self:sem { associate getattr setattr create destroy read write unix_read unix_write };
-allow newrole_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write };
+allow newrole_t self:shm create_shm_perms;
+allow newrole_t self:sem create_sem_perms;
+allow newrole_t self:msgq create_msgq_perms;
 allow newrole_t self:msg { send receive };
 
-allow newrole_t { selinux_config_t default_context_t }:dir { getattr read search };
-allow newrole_t { selinux_config_t default_context_t }:file { read getattr };
-allow newrole_t { selinux_config_t default_context_t }:lnk_file { getattr read };
+allow newrole_t { selinux_config_t default_context_t }:dir r_dir_perms;
+allow newrole_t { selinux_config_t default_context_t }:file r_file_perms;
+allow newrole_t { selinux_config_t default_context_t }:lnk_file r_file_perms;
 
 kernel_read_system_state(newrole_t)
 kernel_read_kernel_sysctl(newrole_t)
@@ -274,9 +274,9 @@ dontaudit newrole_t { home_root_t home_type }:dir search;
 
 allow restorecon_t self:capability { dac_override dac_read_search fowner };
 
-allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir { getattr read search };
-allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file { read getattr };
-allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file { getattr read };
+allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir r_dir_perms;
+allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms;
+allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms;
 
 kernel_use_file_descriptors(restorecon_t)
 kernel_read_system_state(restorecon_t)
@@ -353,7 +353,7 @@ ifdef(`targeted_policy',`',`
 	allow run_init_t self:process setexec;
 	allow run_init_t self:capability setuid;
 
-	allow run_init_t self:fifo_file { getattr read write };
+	allow run_init_t self:fifo_file rw_file_perms;
 
 	# often the administrator runs such programs from a directory that is owned
 	# by a different user or has restrictive SE permissions, do not want to audit
@@ -408,9 +408,9 @@ ifdef(`distro_gentoo', `
 
 allow setfiles_t self:capability { dac_override dac_read_search fowner };
 
-allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir { getattr read search };
-allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file { read getattr };
-allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file { getattr read };
+allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir r_dir_perms;
+allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms;
+allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms;
 
 kernel_read_system_state(setfiles_t)
 kernel_get_selinuxfs_mount_point(setfiles_t)

refpolicy/policy/modules/system/selinuxutil.if

@@ -14,7 +14,7 @@
 define(`selinux_checkpolicy_transition',`
 	requires_block_template(`$0'_depend)
 
-	allow $1 checkpolicy_exec_t:file { getattr read execute };
+	allow $1 checkpolicy_exec_t:file rx_file_perms;
 	allow $1 checkpolicy_t:process transition;
 	type_transition $1 checkpolicy_exec_t:process checkpolicy_t;
 	dontaudit $1 checkpolicy_t:process { noatsecure siginh rlimitinh };
@@ -28,7 +28,7 @@ define(`selinux_checkpolicy_transition',`
 define(`selinux_checkpolicy_transition_depend',`
 	type checkpolicy_t, checkpolicy_exec_t;
 
-	class file { getattr read execute };
+	class file rx_file_perms
 	class process { transition noatsecure siginh rlimitinh sigchld sigchld };
 	class fd use;
 	class fifo_file rw_file_perms;
@@ -74,13 +74,13 @@ define(`selinux_checkpolicy_transition_add_role_use_terminal_depend',`
 define(`selinux_checkpolicy_execute',`
 	requires_block_template(`$0'_depend)
 
-	allow $1 checkpolicy_exec_t:file { getattr read execute execute_no_trans };
+	can_exec($1,checkpolicy_exec_t)
 ')
 
 define(`selinux_checkpolicy_execute_depend',`
 	type checkpolicy_exec_t;
 
-	class file { getattr read execute execute_no_trans };
+	class file { rx_file_perms execute_no_trans };
 ')
 
 #######################################
@@ -96,7 +96,7 @@ define(`selinux_checkpolicy_execute_depend',`
 define(`selinux_load_policy_transition',`
 	requires_block_template(`$0'_depend)
 
-	allow $1 load_policy_exec_t:file { getattr read execute };
+	allow $1 load_policy_exec_t:file rx_file_perms;
 	allow $1 load_policy_t:process transition;
 	type_transition $1 load_policy_exec_t:process load_policy_t;
 	dontaudit $1 load_policy_t:process { noatsecure siginh rlimitinh };
@@ -110,7 +110,7 @@ define(`selinux_load_policy_transition',`
 define(`selinux_load_policy_transition_depend',`
 	type load_policy_t, load_policy_exec_t;
 
-	class file { getattr read execute };
+	class file rx_file_perms;
 	class process { transition noatsecure siginh rlimitinh sigchld };
 	class fd use;
 	class fifo_file rw_file_perms;
@@ -156,13 +156,13 @@ define(`selinux_load_policy_transition_add_role_use_terminal_depend',`
 define(`selinux_load_policy_execute',`
 	requires_block_template(`$0'_depend)
 
-	allow $1 load_policy_exec_t:file { getattr read execute execute_no_trans };
+	can_exec($1,load_policy_exec_t)
 ')
 
 define(`selinux_load_policy_execute_depend',`
 	type load_policy_exec_t;
 
-	class file { getattr read execute execute_no_trans };
+	class file { rx_file_perms execute_no_trans };
 ')
 
 #######################################
@@ -172,13 +172,13 @@ define(`selinux_load_policy_execute_depend',`
 define(`selinux_read_load_policy_binary',`
 	requires_block_template(`$0'_depend)
 
-	allow $1 load_policy_exec_t:file { getattr read };
+	allow $1 load_policy_exec_t:file r_file_perms;
 ')
 
 define(`selinux_read_load_policy_binary_depend',`
 	type load_policy_exec_t;
 
-	class file { getattr read };
+	class file r_file_perms
 ')
 
 #######################################
@@ -194,7 +194,7 @@ define(`selinux_read_load_policy_binary_depend',`
 define(`selinux_newrole_transition',`
 	requires_block_template(`$0'_depend)
 
-	allow $1 newrole_exec_t:file { getattr read execute };
+	allow $1 newrole_exec_t:file rx_file_perms;
 	allow $1 newrole_t:process transition;
 	type_transition $1 newrole_exec_t:process newrole_t;
 	dontaudit $1 newrole_t:process { noatsecure siginh rlimitinh };
@@ -208,7 +208,7 @@ define(`selinux_newrole_transition',`
 define(`selinux_newrole_transition_depend',`
 	type newrole_t, newrole_exec_t;
 
-	class file { getattr read execute };
+	class file rx_file_perms;
 	class process { transition noatsecure siginh rlimitinh sigchld };
 	class fd use;
 	class fifo_file rw_file_perms;
@@ -253,13 +253,13 @@ define(`selinux_newrole_transition_add_role_use_terminal_depend',`
 define(`selinux_newrole_execute',`
 	requires_block_template(`$0'_depend)
 
-	allow $1 newrole_exec_t:file { getattr read execute execute_no_trans };
+	can_exec($1,newrole_exec_t)
 ')
 
 define(`selinux_newrole_execute_depend',`
 	type newrole_t, newrole_exec_t;
 
-	class file { getattr read execute execute_no_trans };
+	class file { rx_file_perms execute_no_trans };
 ')
 
 ########################################
@@ -330,7 +330,7 @@ define(`selinux_newrole_use_file_descriptors_depend',`
 define(`selinux_restorecon_transition',`
 	requires_block_template(`$0'_depend)
 
-	allow $1 restorecon_exec_t:file { getattr read execute };
+	allow $1 restorecon_exec_t:file rx_file_perms;
 	allow $1 restorecon_t:process transition;
 	type_transition $1 restorecon_exec_t:process restorecon_t;
 	dontaudit $1 restorecon_t:process { noatsecure siginh rlimitinh };
@@ -344,7 +344,7 @@ define(`selinux_restorecon_transition',`
 define(`selinux_restorecon_transition_depend',`
 	type restorecon_t, restorecon_exec_t;
 
-	class file { getattr read execute };
+	class file rx_file_perms;
 	class process { transition noatsecure siginh rlimitinh sigchld };
 	class fd use;
 	class fifo_file rw_file_perms;
@@ -388,13 +388,13 @@ define(`selinux_restorecon_transition_add_role_use_terminal_depend',`
 #
 define(`selinux_restorecon_execute',`
 requires_block_template(`$0'_depend)
-allow $1 restorecon_exec_t:file { getattr read execute execute_no_trans };
+	can_exec($1,restorecon_exec_t)
 ')
 
 define(`selinux_restorecon_execute_depend',`
 	type restorecon_t, restorecon_exec_t;
 
-	class file { getattr read execute execute_no_trans };
+	class file { rx_file_perms execute_no_trans };
 ')
 
 ########################################
@@ -410,7 +410,7 @@ define(`selinux_restorecon_execute_depend',`
 define(`selinux_run_init_transition',`
 	requires_block_template(`$0'_depend)
 
-	allow $1 run_init_exec_t:file { getattr read execute };
+	allow $1 run_init_exec_t:file rx_file_perms;
 	allow $1 run_init_t:process transition;
 	type_transition $1 run_init_exec_t:process run_init_t;
 	dontaudit $1 run_init_t:process { noatsecure siginh rlimitinh };
@@ -424,7 +424,7 @@ define(`selinux_run_init_transition',`
 define(`selinux_run_init_transition_depend',`
 	type run_init_t, run_init_exec_t;
 
-	class file { getattr read execute };
+	class file rx_file_perms;
 	class process { transition noatsecure siginh rlimitinh sigchld };
 	class fd use;
 	class fifo_file rw_file_perms;
@@ -491,7 +491,7 @@ define(`selinux_run_init_use_file_descriptors_depend',`
 define(`selinux_setfiles_transition',`
 	requires_block_template(`$0'_depend)
 
-	allow $1 setfiles_exec_t:file { getattr read execute };
+	allow $1 setfiles_exec_t:file rx_file_perms;
 	allow $1 setfiles_t:process transition;
 	type_transition $1 setfiles_exec_t:process setfiles_t;
 	dontaudit $1 setfiles_t:process { noatsecure siginh rlimitinh };
@@ -505,7 +505,7 @@ define(`selinux_setfiles_transition',`
 define(`selinux_setfiles_transition_depend',`
 	type setfiles_t, setfiles_exec_t;
 
-	class file { getattr read execute };
+	class file rx_file_perms;
 	class process { transition noatsecure siginh rlimitinh sigchld };
 	class fd use;
 	class fifo_file rw_file_perms;
@@ -550,13 +550,13 @@ define(`selinux_setfiles_transition_add_role_use_terminal_depend',`
 define(`selinux_setfiles_execute',`
 	requires_block_template(`$0'_depend)
 
-	allow $1 setfiles_exec_t:file { getattr read execute execute_no_trans };
+	can_exec($1,setfiles_exec_t)
 ')
 
 define(`selinux_setfiles_execute_depend',`
 	type setfiles_exec_t;
 
-	class file { getattr read execute execute_no_trans };
+	class file { rx_file_perms execute_no_trans };
 ')
 
 ########################################
@@ -566,15 +566,15 @@ define(`selinux_setfiles_execute_depend',`
 define(`selinux_read_config',`
 	requires_block_template(`$0'_depend)
 
-	allow $1 selinux_config_t:dir { getattr search read };
-	allow $1 selinux_config_t:file { getattr read };
+	allow $1 selinux_config_t:dir r_dir_perms;
+	allow $1 selinux_config_t:file r_file_perms;
 ')
 
 define(`selinux_read_config_depend',`
 	type selinux_config_t;
 
-	class dir { getattr search read };
-	class file { getattr read };
+	class dir r_dir_perms;
+	class file r_file_perms;
 ')
 
 ########################################
@@ -585,15 +585,15 @@ define(`selinux_read_default_contexts',`
 	requires_block_template(`$0'_depend)
 
 	allow $1 selinux_config_t:dir search;
-	allow $1 default_context_t:dir { getattr search read };
-	allow $1 default_context_t:file { getattr read };
+	allow $1 default_context_t:dir r_dir_perms;
+	allow $1 default_context_t:file r_file_perms;
 ')
 
 define(`selinux_read_default_contexts_depend',`
 	type selinux_config_t, default_context_t;
 
-	class dir { getattr search read };
-	class file { getattr read };
+	class dir r_dir_perms;
+	class file r_file_perms;
 ')
 
 ########################################
@@ -604,15 +604,15 @@ define(`selinux_read_file_contexts',`
 	requires_block_template(`$0'_depend)
 
 	allow $1 selinux_config_t:dir search;
-	allow $1 file_context_t:dir { getattr search read };
-	allow $1 file_context_t:file { getattr read };
+	allow $1 file_context_t:dir r_dir_perms;
+	allow $1 file_context_t:file r_file_perms;
 ')
 
 define(`selinux_read_file_contexts_depend',`
 	type selinux_config_t, file_context_t;
 
-	class dir { getattr search read };
-	class file { getattr read };
+	class dir r_dir_perms;
+	class file r_file_perms;
 ')
 
 ########################################
@@ -622,15 +622,15 @@ define(`selinux_read_file_contexts_depend',`
 define(`selinux_read_binary_policy',`
 	requires_block_template(`$0'_depend)
 
-	allow $1 policy_config_t:dir { getattr search read };
-	allow $1 policy_config_t:file { getattr read };
+	allow $1 policy_config_t:dir r_dir_perms;
+	allow $1 policy_config_t:file r_file_perms;
 ')
 
 define(`selinux_read_binary_policy_depend',`
 	type policy_config_t;
 
-	class dir { getattr search read };
-	class file { getattr read };
+	class dir r_dir_perms;
+	class file r_file_perms;
 ')
 
 ########################################
@@ -640,7 +640,7 @@ define(`selinux_read_binary_policy_depend',`
 define(`selinux_write_binary_policy',`
 	requires_block_template(`$0'_depend)
 
-	allow $1 policy_config_t:dir { getattr search read write add_name remove_name };
+	allow $1 policy_config_t:dir rw_dir_perms;
 	allow $1 policy_config_t:file { getattr create write unlink };
 	typeattribute $1 can_write_binary_policy;
 ')
@@ -650,7 +650,7 @@ define(`selinux_write_binary_policy_depend',`
 
 	type policy_config_t;
 
-	class dir { getattr search read write add_name remove_name };
+	class dir rw_dir_perms;
 	class file { getattr create write unlink };
 ')
 
@@ -688,8 +688,8 @@ define(`selinux_manage_binary_policy',`
 
 	# FIXME: search etc_t:dir
 	allow $1 selinux_config_t:dir search;
-	allow $1 policy_config_t:dir { getattr search read };
-	allow $1 policy_config_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+	allow $1 policy_config_t:dir r_dir_perms;
+	allow $1 policy_config_t:file create_file_perms;
 	typeattribute $1 can_write_binary_policy;
 ')
 
@@ -697,8 +697,8 @@ define(`selinux_manage_binary_policy_depend',`
 	attribute can_write_binary_policy;
 
 	type selinux_config_t, policy_config_t;
-	class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
-	class file { create ioctl read getattr lock write setattr append link unlink rename };
+	class dir create_dir_perms;
+	class file create_file_perms;
 ')
 
 ########################################
@@ -710,15 +710,15 @@ define(`selinux_read_source_policy',`
 
 	# FIXME: search etc_t:dir
 	allow $1 selinux_config_t:dir search;
-	allow $1 policy_src_t:dir { getattr search read };
-	allow $1 policy_src_t:file { getattr read };
+	allow $1 policy_src_t:dir r_dir_perms;
+	allow $1 policy_src_t:file r_file_perms;
 ')
 
 define(`selinux_read_source_policy_depend',`
 	type selinux_config_t, policy_src_t;
 
-	class dir { getattr search read };
-	class file { getattr read };
+	class dir r_dir_perms;
+	class file r_file_perms;
 ')
 
 ########################################
@@ -730,15 +730,15 @@ define(`selinux_manage_source_policy',`
 
 	# FIXME: search etc_t:dir
 	allow $1 selinux_config_t:dir search;
-	allow $1 policy_src_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
-	allow $1 policy_src_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+	allow $1 policy_src_t:dir create_dir_perms;
+	allow $1 policy_src_t:file create_file_perms;
 ')
 
 define(`selinux_manage_source_policy_depend',`
 	type selinux_config_t, policy_src_t;
 
-	class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
-	class file { create ioctl read getattr lock write setattr append link unlink rename };
+	class dir create_dir_perms;
+	class file create_file_perms;
 ')
 
 ## </module>

refpolicy/policy/modules/system/selinuxutil.te

@@ -98,17 +98,17 @@ domain_make_entrypoint_file(setfiles_t,setfiles_exec_t)
 allow checkpolicy_t self:capability dac_override;
 
 # able to create and modify binary policy files
-allow checkpolicy_t policy_config_t:dir { read getattr lock search ioctl add_name remove_name write };
-allow checkpolicy_t policy_config_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+allow checkpolicy_t policy_config_t:dir rw_dir_perms;
+allow checkpolicy_t policy_config_t:file create_file_perms;
 
 # allow test policies to be created in src directories
-allow checkpolicy_t policy_src_t:dir { getattr search read write add_name remove_name };
+allow checkpolicy_t policy_src_t:dir rw_dir_perms;
 type_transition checkpolicy_t policy_src_t:file policy_config_t;
 
 # only allow read of policy source files
-allow checkpolicy_t policy_src_t:dir { getattr search read };
-allow checkpolicy_t policy_src_t:file { getattr read ioctl };
-allow checkpolicy_t policy_src_t:lnk_file { getattr read };
+allow checkpolicy_t policy_src_t:dir r_dir_perms;
+allow checkpolicy_t policy_src_t:file r_file_perms;
+allow checkpolicy_t policy_src_t:lnk_file r_file_perms;
 allow checkpolicy_t selinux_config_t:dir search;
 
 fs_get_persistent_fs_attributes(checkpolicy_t)
@@ -142,12 +142,12 @@ allow load_policy_t self:capability dac_override;
 
 # only allow read of policy config files
 allow load_policy_t policy_src_t:dir search;
-allow load_policy_t policy_config_t:dir { getattr search read };
-allow load_policy_t policy_config_t:{ file lnk_file sock_file fifo_file } { getattr read };
+allow load_policy_t policy_config_t:dir r_dir_perms;
+allow load_policy_t policy_config_t:notdevfile_class_set r_file_perms;
 
-allow load_policy_t selinux_config_t:dir { getattr read search };
-allow load_policy_t selinux_config_t:file { read getattr };
-allow load_policy_t selinux_config_t:lnk_file { getattr read };
+allow load_policy_t selinux_config_t:dir r_dir_perms;
+allow load_policy_t selinux_config_t:file r_file_perms;
+allow load_policy_t selinux_config_t:lnk_file r_file_perms;
 
 kernel_get_selinuxfs_mount_point(load_policy_t)
 kernel_load_selinux_policy(load_policy_t)
@@ -182,17 +182,17 @@ allow newrole_t self:capability { setuid setgid net_bind_service dac_override };
 allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
 allow newrole_t self:process setexec;
 allow newrole_t self:fd use;
-allow newrole_t self:fifo_file { read getattr lock ioctl write append };
+allow newrole_t self:fifo_file rw_file_perms;
 allow newrole_t self:unix_dgram_socket sendto;
 allow newrole_t self:unix_stream_socket connectto;
-allow newrole_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write };
-allow newrole_t self:sem { associate getattr setattr create destroy read write unix_read unix_write };
-allow newrole_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write };
+allow newrole_t self:shm create_shm_perms;
+allow newrole_t self:sem create_sem_perms;
+allow newrole_t self:msgq create_msgq_perms;
 allow newrole_t self:msg { send receive };
 
-allow newrole_t { selinux_config_t default_context_t }:dir { getattr read search };
-allow newrole_t { selinux_config_t default_context_t }:file { read getattr };
-allow newrole_t { selinux_config_t default_context_t }:lnk_file { getattr read };
+allow newrole_t { selinux_config_t default_context_t }:dir r_dir_perms;
+allow newrole_t { selinux_config_t default_context_t }:file r_file_perms;
+allow newrole_t { selinux_config_t default_context_t }:lnk_file r_file_perms;
 
 kernel_read_system_state(newrole_t)
 kernel_read_kernel_sysctl(newrole_t)
@@ -274,9 +274,9 @@ dontaudit newrole_t { home_root_t home_type }:dir search;
 
 allow restorecon_t self:capability { dac_override dac_read_search fowner };
 
-allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir { getattr read search };
-allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file { read getattr };
-allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file { getattr read };
+allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir r_dir_perms;
+allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms;
+allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms;
 
 kernel_use_file_descriptors(restorecon_t)
 kernel_read_system_state(restorecon_t)
@@ -353,7 +353,7 @@ ifdef(`targeted_policy',`',`
 	allow run_init_t self:process setexec;
 	allow run_init_t self:capability setuid;
 
-	allow run_init_t self:fifo_file { getattr read write };
+	allow run_init_t self:fifo_file rw_file_perms;
 
 	# often the administrator runs such programs from a directory that is owned
 	# by a different user or has restrictive SE permissions, do not want to audit
@@ -408,9 +408,9 @@ ifdef(`distro_gentoo', `
 
 allow setfiles_t self:capability { dac_override dac_read_search fowner };
 
-allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir { getattr read search };
-allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file { read getattr };
-allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file { getattr read };
+allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir r_dir_perms;
+allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms;
+allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms;
 
 kernel_read_system_state(setfiles_t)
 kernel_get_selinuxfs_mount_point(setfiles_t)

refpolicy/policy/modules/system/userdomain.if

@@ -48,14 +48,14 @@ define(`base_user_domain',`
 	allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
 	allow $1_t self:process { ptrace setfscreate };
 	allow $1_t self:fd use;
-	allow $1_t self:fifo_file { read getattr lock ioctl write append };
-	allow $1_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
-	allow $1_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
+	allow $1_t self:fifo_file rw_file_perms;
+	allow $1_t self:unix_dgram_socket create_socket_perms;
+	allow $1_t self:unix_stream_socket rw_stream_socket_perms;
 	allow $1_t self:unix_dgram_socket sendto;
 	allow $1_t self:unix_stream_socket connectto;
-	allow $1_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write };
-	allow $1_t self:sem { associate getattr setattr create destroy read write unix_read unix_write };
-	allow $1_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write };
+	allow $1_t self:shm create_shm_perms;
+	allow $1_t self:sem create_sem_perms;
+	allow $1_t self:msgq create_msgq_perms;
 	allow $1_t self:msg { send receive };
 	dontaudit $1_t self:socket create;
 	# Irrelevant until we have labeled networking.
@@ -66,31 +66,31 @@ define(`base_user_domain',`
 	dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
 
 	# execute files in the home directory
-	allow $1_t $1_home_t:file { getattr read execute execute_no_trans };
+	allow $1_t $1_home_t:file { rx_file_perms execute_no_trans };
 
 	# full control of the home directory
-	allow $1_t $1_home_t:file { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto };
-	allow $1_t $1_home_t:lnk_file { create read getattr setattr link unlink rename relabelfrom relabelto };
-	allow $1_t $1_home_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto };
-	allow $1_t $1_home_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto };
-	allow $1_t $1_home_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto };
-	allow $1_t $1_home_dir_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
-	type_transition $1_t $1_home_dir_t:{ file lnk_file dir sock_file fifo_file } $1_home_t;
+	allow $1_t $1_home_t:file { create_file_perms relabelfrom relabelto };
+	allow $1_t $1_home_t:lnk_file { create_lnk_perms relabelfrom relabelto };
+	allow $1_t $1_home_t:dir { create_dir_perms relabelfrom relabelto };
+	allow $1_t $1_home_t:sock_file { create_file_perms relabelfrom relabelto };
+	allow $1_t $1_home_t:fifo_file { create_file_perms relabelfrom relabelto };
+	allow $1_t $1_home_dir_t:dir create_dir_perms;
+	type_transition $1_t $1_home_dir_t:{ dir notdevfile_class_set } $1_home_t;
 
-	allow $1_t $1_tmp_t:file { getattr read execute execute_no_trans };
+	allow $1_t $1_tmp_t:file { rx_file_perms execute_no_trans };
 
 	# Bind to a Unix domain socket in /tmp.
 	# cjp: this is combination is not checked and should be removed
 	allow $1_t $1_tmp_t:unix_stream_socket name_bind;
 
-	allow $1_t $1_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write };
-	allow $1_t $1_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename };
-	allow $1_t $1_tmpfs_t:lnk_file { create read getattr setattr link unlink rename };
-	allow $1_t $1_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
-	allow $1_t $1_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
-	fs_create_private_tmpfs_data($1_t,$1_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+	allow $1_t $1_tmpfs_t:dir rw_dir_perms;
+	allow $1_t $1_tmpfs_t:file create_file_perms;
+	allow $1_t $1_tmpfs_t:lnk_file create_lnk_perms;
+	allow $1_t $1_tmpfs_t:sock_file create_file_perms;
+	allow $1_t $1_tmpfs_t:fifo_file create_file_perms;
+	fs_create_private_tmpfs_data($1_t,$1_tmpfs_t, { dir notdevfile_class_set } )
 
-	allow $1_t $1_tty_device_t:chr_file { setattr getattr read write append ioctl lock };
+	allow $1_t $1_tty_device_t:chr_file { setattr rw_file_perms };
 
 	allow $1_t unpriv_userdomain:fd use;
 
@@ -223,7 +223,7 @@ define(`base_user_domain',`
 	dontaudit $1_t usr_t:file setattr;
 
 	# Access the power device.
-	allow $1_t power_device_t:chr_file { getattr read write ioctl };
+	allow $1_t power_device_t:chr_file rw_file_perms;
 
 	# Check to see if cdrom is mounted
 	allow $1_t mnt_t:dir { getattr search };
@@ -272,7 +272,7 @@ define(`base_user_domain',`
 	dontaudit $1_t sysctl_t:dir_file_class_set getattr;
 	dontaudit $1_t proc_fs:dir { read search };
 
-	allow $1_t autofs_t:dir { search getattr };
+	allow $1_t autofs_t:dir { getattr search };
 
 	can_exec($1_t, { removable_t noexattrfile } )
 	if (user_rw_noexattrfile) {
@@ -320,7 +320,7 @@ define(`base_user_domain',`
 
 	# Gnome pannel binds to the following
 	ifdef(`cups.te', `
-		allow $1_t { cupsd_etc_t cupsd_rw_etc_t }:file { read getattr };
+		allow $1_t { cupsd_etc_t cupsd_rw_etc_t }:file r_file_perms;
 	')
 
 	# Connect to inetd.
@@ -350,13 +350,13 @@ define(`base_user_domain',`
 		can_unix_connect($1_t, xdm_t)
 		allow $1_t xdm_tmp_t:sock_file rw_file_perms;
 		allow $1_t xdm_tmp_t:dir r_dir_perms;
-		allow $1_t xdm_tmp_t:file { getattr read };
+		allow $1_t xdm_tmp_t:file r_file_perms;
 		allow $1_t xdm_xserver_tmp_t:sock_file { read write };
 		allow $1_t xdm_xserver_tmp_t:dir search;
 		allow $1_t xdm_xserver_t:unix_stream_socket connectto;
 		# certain apps want to read xdm.pid file
 		r_dir_file($1_t, xdm_var_run_t)
-		allow $1_t xdm_var_lib_t:file { getattr read };
+		allow $1_t xdm_var_lib_t:file r_file_perms;
 		allow xdm_t $1_home_dir_t:dir getattr;
 		ifdef(`xauth.te', `
 			file_type_auto_trans(xdm_t, $1_home_dir_t, $1_xauth_home_t, file)
@@ -373,7 +373,7 @@ define(`base_user_domain',`
 
 	ifdef(`cardmgr.te', `
 		# to allow monitoring of pcmcia status
-		allow $1_t cardmgr_var_run_t:file { getattr read };
+		allow $1_t cardmgr_var_run_t:file r_file_perms;
 	')
 
 	#
@@ -385,7 +385,7 @@ define(`base_user_domain',`
 	')
 
 	ifdef(`automount.te', `
-		allow $1_t autofs_t:dir { search getattr };
+		allow $1_t autofs_t:dir { getattr search };
 	')
 
 	ifdef(`pamconsole.te', `
@@ -434,20 +434,20 @@ define(`user_domain_template', `
 	allow $1_file_type $1_home_t:filesystem associate;
 
 	# user temporary files
-	allow $1_t $1_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };
-	allow $1_t $1_tmp_t:lnk_file { create read getattr setattr link unlink rename };
-	allow $1_t $1_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
-	allow $1_t $1_tmp_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
-	allow $1_t $1_tmp_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
-	files_create_private_tmp_data($1_t, $1_tmp_t, { file lnk_file dir sock_file fifo_file })
+	allow $1_t $1_tmp_t:file create_file_perms;
+	allow $1_t $1_tmp_t:lnk_file create_lnk_perms;
+	allow $1_t $1_tmp_t:dir create_dir_perms;
+	allow $1_t $1_tmp_t:sock_file create_file_perms;
+	allow $1_t $1_tmp_t:fifo_file create_file_perms;
+	files_create_private_tmp_data($1_t, $1_tmp_t, { dir notdevfile_class_set })
 
 	# privileged home directory writers
-	allow privhome $1_home_t:file { create ioctl read getattr lock write setattr append link unlink rename };
-	allow privhome $1_home_t:lnk_file { create read getattr setattr link unlink rename };
-	allow privhome $1_home_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
-	allow privhome $1_home_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
-	allow privhome $1_home_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
-	type_transition privhome $1_home_dir_t:{ file lnk_file dir sock_file fifo_file } $1_home_t;
+	allow privhome $1_home_t:file create_file_perms;
+	allow privhome $1_home_t:lnk_file create_lnk_perms;
+	allow privhome $1_home_t:dir create_dir_perms;
+	allow privhome $1_home_t:sock_file create_file_perms;
+	allow privhome $1_home_t:fifo_file create_file_perms;
+	type_transition privhome $1_home_dir_t:{ dir notdevfile_class_set } $1_home_t;
 
 	kernel_read_system_state($1_t)
 	kernel_read_network_state($1_t)
@@ -645,12 +645,12 @@ define(`admin_domain_template',`
 	allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
 	terminal_create_private_pseudoterminal($1_t,$1_devpts_t)
 
-	allow $1_t $1_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
-	allow $1_t $1_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };
-	allow $1_t $1_tmp_t:lnk_file { create ioctl read getattr lock write setattr append link unlink rename };
-	allow $1_t $1_tmp_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
-	allow $1_t $1_tmp_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
-	files_create_private_tmp_data($1_t, $1_tmp_t, { file dir lnk_file sock_file fifo_file })
+	allow $1_t $1_tmp_t:dir create_dir_perms;
+	allow $1_t $1_tmp_t:file create_file_perms;
+	allow $1_t $1_tmp_t:lnk_file create_file_perms;
+	allow $1_t $1_tmp_t:fifo_file create_file_perms;
+	allow $1_t $1_tmp_t:sock_file create_file_perms;
+	files_create_private_tmp_data($1_t, $1_tmp_t, { dir notdevfile_class_set })
 
 	kernel_read_system_state($1_t)
 	kernel_read_network_state($1_t)
@@ -931,15 +931,15 @@ define(`userdomain_read_all_users_data',`
 	requires_block_template(`$0'_depend)
 
 	files_list_home_directories($1)
-	allow $1 home_type:dir { getattr search read };
-	allow $1 home_type:file { getattr read };
+	allow $1 home_type:dir r_dir_perms;
+	allow $1 home_type:file r_file_perm;
 ')
 
 define(`userdomain_read_all_users_data_depend',`
 	attribute home_type;
 
-	class dir { getattr search read };
-	class file { getattr read };
+	class dir r_dir_perms;
+	class file r_file_perms;
 ')
 
 ########################################