diff --git a/refpolicy/policy/modules/apps/gpg.if b/refpolicy/policy/modules/apps/gpg.if
index 6f93c8aa..048d14cd 100644
--- a/refpolicy/policy/modules/apps/gpg.if
+++ b/refpolicy/policy/modules/apps/gpg.if
@@ -44,7 +44,7 @@ define(`gpg_per_userdomain_template',`
# transition from the userdomain to the derived domain
allow $1_t $1_gpg_t:process transition;
- allow $1_t gpg_exec_t:file { getattr read execute };
+ allow $1_t gpg_exec_t:file rx_file_perms;
type_transition $1_t gpg_exec_t:process $1_gpg_t;
dontaudit $1_t $1_gpg_t:process { noatsecure siginh rlimitinh };
@@ -58,12 +58,12 @@ define(`gpg_per_userdomain_template',`
# setrlimit is for ulimit -c 0
allow $1_gpg_t self:process { setrlimit setcap };
- allow $1_gpg_t self:fifo_file { getattr read write };
- allow $1_gpg_t self:tcp_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
+ allow $1_gpg_t self:fifo_file rw_file_perms;
+ allow $1_gpg_t self:tcp_socket create_stream_socket_perms;
- allow $1_gpg_t $1_gpg_secret_t:dir { read getattr lock search ioctl add_name remove_name write };
- allow $1_gpg_t $1_gpg_secret_t:file { create ioctl read getattr lock write setattr append link unlink rename };
- allow $1_gpg_t $1_gpg_secret_t:lnk_file { create read getattr setattr link unlink rename };
+ allow $1_gpg_t $1_gpg_secret_t:dir rw_dir_perms;
+ allow $1_gpg_t $1_gpg_secret_t:file create_file_perms;
+ allow $1_gpg_t $1_gpg_secret_t:lnk_file create_lnk_perms;
corenetwork_sendrecv_tcp_on_all_interfaces($1_gpg_t)
corenetwork_sendrecv_raw_on_all_interfaces($1_gpg_t)
@@ -159,7 +159,7 @@ define(`gpg_per_userdomain_template',`
# transition from the gpg domain to the helper domain
allow $1_gpg_t $1_gpg_helper_t:process transition;
- allow $1_gpg_t gpg_helper_exec_t:file { getattr read execute };
+ allow $1_gpg_t gpg_helper_exec_t:file rx_file_perms;
type_transition $1_gpg_t gpg_helper_exec_t:process $1_gpg_helper_t;
dontaudit $1_gpg_helper_t $1_gpg_t:process { noatsecure siginh rlimitinh };
@@ -168,10 +168,10 @@ define(`gpg_per_userdomain_template',`
allow $1_gpg_helper_t $1_gpg_t:fifo_file rw_file_perms;
allow $1_gpg_helper_t $1_gpg_t:process sigchld;
- allow $1_gpg_helper_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
+ allow $1_gpg_helper_t self:unix_stream_socket create_stream_socket_perms;
- allow $1_gpg_helper_t self:tcp_socket { create connect ioctl read getattr write setattr append bind getopt setopt shutdown };
- allow $1_gpg_helper_t self:udp_socket { create connect ioctl read getattr write setattr append bind getopt setopt shutdown };
+ allow $1_gpg_helper_t self:tcp_socket { connect connected_socket_perms };
+ allow $1_gpg_helper_t self:udp_socket { connect connected_socket_perms };
dontaudit $1_gpg_helper_t $1_gpg_secret_t:file read;
@@ -224,12 +224,12 @@ define(`gpg_per_userdomain_template',`
# rlimit: gpg-agent wants to prevent coredumps
allow $1_gpg_agent_t self:process setrlimit;
- allow $1_gpg_agent_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
- allow $1_gpg_agent_t self:fifo_file { getattr read write };
+ allow $1_gpg_agent_t self:unix_stream_socket create_stream_socket_perms ;
+ allow $1_gpg_agent_t self:fifo_file rw_file_perms;
- allow $1_t $1_gpg_agent_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
- allow $1_t $1_gpg_agent_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };
- allow $1_t $1_gpg_agent_tmp_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
+ allow $1_t $1_gpg_agent_tmp_t:dir create_dir_perms;
+ allow $1_t $1_gpg_agent_tmp_t:file create_file_perms;
+ allow $1_t $1_gpg_agent_tmp_t:sock_file create_file_perms;
files_create_private_tmp_data($1_gpg_agent_t, $1_gpg_agent_tmp_t, { file sock_file dir })
domain_use_widely_inheritable_file_descriptors($1_gpg_agent_t)
@@ -256,7 +256,7 @@ define(`gpg_per_userdomain_template',`
allow $1_gpg_agent_t proc_t:dir search;
allow $1_gpg_agent_t proc_t:lnk_file read;
- allow $1_gpg_agent_t device_t:dir { getattr read };
+ allow $1_gpg_agent_t device_t:dir r_file_perms;
# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
allow $1_gpg_agent_t { home_root_t $1_home_dir_t }:dir search;
@@ -282,7 +282,7 @@ define(`gpg_per_userdomain_template',`
# we need to allow gpg-agent to call pinentry so it can get the passphrase
# from the user.
allow $1_gpg_agent_t $1_gpg_pinentry_t:process transition;
- allow $1_gpg_agent_t pinentry_exec_t:file { getattr read execute };
+ allow $1_gpg_agent_t pinentry_exec_t:file rx_file_perms;
type_transition $1_gpg_agent_t pinentry_exec_t:process $1_gpg_pinentry_t;
dontaudit $1_gpg_agent_t $1_gpg_pinentry_t:process { noatsecure siginh rlimitinh };
@@ -292,7 +292,7 @@ define(`gpg_per_userdomain_template',`
allow $1_gpg_agent_t $1_gpg_pinentry_t:process sigchld;
allow $1_gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write };
- allow $1_gpg_pinentry_t self:fifo_file { getattr read write };
+ allow $1_gpg_pinentry_t self:fifo_file rw_file_perms;
# read /proc/meminfo
kernel_read_system_state($1_gpg_pinentry_t)
@@ -322,21 +322,21 @@ define(`gpg_per_userdomain_template',`
# for .Xauthority
allow $1_gpg_pinentry_t $1_home_dir_t:dir { getattr search };
- allow $1_gpg_pinentry_t $1_home_t:file { getattr read };
+ allow $1_gpg_pinentry_t $1_home_t:file r_file_perms;
# wants to put some lock files into the user home dir, seems to work fine without
dontaudit $1_gpg_pinentry_t $1_home_t:dir { read write };
dontaudit $1_gpg_pinentry_t $1_home_t:file write;
if (use_nfs_home_dirs) {
allow $1_gpg_pinentry_t nfs_t:dir { getattr search };
- allow $1_gpg_pinentry_t nfs_t:file { getattr read };
+ allow $1_gpg_pinentry_t nfs_t:file r_file_perms;
dontaudit $1_gpg_pinentry_t nfs_t:dir { read write };
dontaudit $1_gpg_pinentry_t nfs_t:file write;
}
if (use_samba_home_dirs) {
allow $1_gpg_pinentry_t cifs_t:dir { getattr search };
- allow $1_gpg_pinentry_t cifs_t:file { getattr read };
+ allow $1_gpg_pinentry_t cifs_t:file r_file_perms;
dontaudit $1_gpg_pinentry_t cifs_t:dir { read write };
dontaudit $1_gpg_pinentry_t cifs_t:file write;
}
diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if
index 0eb06583..81a74106 100644
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
@@ -10,9 +10,6 @@
## Gives kernel an entrypoint to the caller via
## the entrypoint type.
##
-##
-## ...
-##
##
## The process type entered by kernel.
##
@@ -47,10 +44,6 @@ define(`kernel_make_userland_entrypoint_depend',`
## Allows the kernel to share state information with
## the caller.
##
-##
-## Gives a type access to state information about
-## kernel processes
-##
##
## The type of the process with which to share state information.
##
@@ -73,9 +66,6 @@ define(`kernel_share_state_depend',`
##
## Permits caller to use kernel file descriptors.
##
-##
-## Permits use of kernel file descriptors.
-##
##
## The type of the process using the descriptors.
##
@@ -99,10 +89,6 @@ define(`kernel_use_file_descriptors_depend',`
## Do not audit attempts by the caller to use
## kernel file descriptors.
##
-##
-## Causes attempts to use kernel file descriptors
-## to not be audited for caller.
-##
##
## The type of process not to audit.
##
@@ -126,10 +112,6 @@ define(`kernel_ignore_use_file_descriptors_depend',`
## Allows the kernel to mount filesystems on
## the caller.
##
-##
-## Givers kernel permission to mount on directories
-## of the calling type.
-##
##
## The type of the directory to use as a mountpoint.
##
@@ -153,9 +135,6 @@ define(`kernel_make_root_fs_mountpoint_depend',`
## Makes caller an exception to the constraint preventing
## changing of user identity.
##
-##
-## Allows changing of user identity in context of the calling process.
-##
##
## The process type to make an exception to the constraint.
##
@@ -177,9 +156,6 @@ define(`kernel_make_process_identity_change_constraint_exception_depend',`
## Makes caller an exception to the constraint preventing
## changing of role.
##
-##
-## Allows changing of role in the context of the calling process.
-##
##
## The process type to make an exception to the constraint.
##
@@ -201,9 +177,6 @@ define(`kernel_make_role_change_constraint_exception_depend',`
## Makes caller an exception to the constraint preventing
## changing the user identity in object contexts.
##
-##
-## Allows caller to change user identities on objects
-##
##
## The process type to make an exception to the constraint.
##
@@ -225,9 +198,6 @@ define(`kernel_make_object_identity_change_constraint_exception_depend',`
##
## Allows caller to load kernel modules
##
-##
-## Allows loading of kernel modules.
-##
##
## The process type to allow to load kernel modules.
##
@@ -253,9 +223,6 @@ define(`kernel_load_module_depend',`
## Allows the caller to get the mode of policy enforcement
## (enforcing or permissive mode).
##
-##
-## Gives caller access to system state data.
-##
##
## The process type to allow to get the enforcing mode.
##
@@ -281,9 +248,6 @@ define(`kernel_get_selinux_enforcement_mode_depend',`
## Allow caller to set the mode of policy enforcement
## (enforcing or permissive mode).
##
-##
-## Caller becomes able to disable enforcement of policy.
-##
##
## The process type to allow to set the enforcement mode.
##
diff --git a/refpolicy/policy/modules/system/logging.if b/refpolicy/policy/modules/system/logging.if
index cee79a6c..a5ee8975 100644
--- a/refpolicy/policy/modules/system/logging.if
+++ b/refpolicy/policy/modules/system/logging.if
@@ -46,13 +46,13 @@ define(`logging_send_system_log_message',`
requires_block_template(`$0'_depend)
allow $1 devlog_t:lnk_file read;
- allow $1 devlog_t:sock_file { ioctl read getattr lock write append };
+ allow $1 devlog_t:sock_file rw_file_perms;
# the type of socket depends on the syslog daemon
allow $1 syslogd_t:unix_dgram_socket sendto;
allow $1 syslogd_t:unix_stream_socket connectto;
- allow $1 self:unix_dgram_socket { create read getattr write setattr append bind connect getopt setopt shutdown };
- allow $1 self:unix_stream_socket { create read getattr write setattr append bind connect getopt setopt shutdown };
+ allow $1 self:unix_dgram_socket create_socket_perms;
+ allow $1 self:unix_stream_socket create_socket_perms;
# cjp: this should most likely be removed:
terminal_use_console($1)
@@ -61,9 +61,9 @@ define(`logging_send_system_log_message',`
define(`logging_send_system_log_message_depend',`
type syslogd_t, devlog_t;
- class sock_file { ioctl read getattr lock write append };
- class unix_dgram_socket { create read getattr write setattr append bind connect getopt setopt shutdown sendto };
- class unix_stream_socket { create read getattr write setattr append bind connect getopt setopt shutdown connectto };
+ class sock_file rw_file_perms;
+ class unix_dgram_socket { create_socket_perms sendto };
+ class unix_stream_socket { create_socket_perms connectto };
')
########################################
@@ -115,7 +115,7 @@ define(`logging_append_all_logs',`
requires_block_template(`$0'_depend)
files_search_system_state_data_directory($1)
- allow $1 var_log_t:dir { getattr search read };
+ allow $1 var_log_t:dir r_dir_perms;
allow $1 logfile:file { getattr append };
')
@@ -124,7 +124,7 @@ define(`logging_append_all_logs_depend',`
type var_log_t;
- class dir { getattr search read };
+ class dir r_dir_perms;
class file { getattr append };
')
@@ -136,8 +136,8 @@ define(`logging_read_all_logs',`
requires_block_template(`$0'_depend)
files_search_system_state_data_directory($1)
- allow $1 var_log_t:dir { getattr search read };
- allow $1 logfile:file { getattr read };
+ allow $1 var_log_t:dir r_dir_perms;
+ allow $1 logfile:file r_file_perms;
')
define(`logging_read_all_logs_depend',`
@@ -145,8 +145,8 @@ define(`logging_read_all_logs_depend',`
type var_log_t;
- class dir { getattr search read };
- class file { getattr read };
+ class dir r_dir_perms;
+ class file r_file_perms;
')
#######################################
@@ -157,15 +157,15 @@ define(`logging_read_system_logs',`
requires_block_template(`$0'_depend)
files_search_system_state_data_directory($1)
- allow $1 var_log_t:dir { getattr search read };
- allow $1 var_log_t:file { getattr read };
+ allow $1 var_log_t:dir r_dir_perms;
+ allow $1 var_log_t:file r_file_perms;
')
define(`logging_read_system_logs_depend',`
type var_log_t;
- class dir { getattr search read };
- class file { getattr read };
+ class dir r_dir_perms;
+ class file r_file_perms;
')
#######################################
@@ -176,14 +176,14 @@ define(`logging_write_system_logs',`
requires_block_template(`$0'_depend)
files_search_system_state_data_directory($1)
- allow $1 var_log_t:dir { getattr search read };
+ allow $1 var_log_t:dir r_dir_perms;
allow $1 var_log_t:file { getattr write };
')
define(`logging_write_system_logs_depend',`
type var_log_t;
- class dir { getattr search read };
+ class dir r_dir_perms;
class file { getattr write };
')
@@ -195,15 +195,15 @@ define(`logging_modify_system_logs',`
requires_block_template(`$0'_depend)
files_search_system_state_data_directory($1)
- allow $1 var_log_t:dir { getattr search read };
- allow $1 var_log_t:file { getattr read write append };
+ allow $1 var_log_t:dir r_dir_perms;
+ allow $1 var_log_t:file rw_file_perms;
')
define(`logging_modify_system_logs_depend',`
type var_log_t;
- class dir { getattr search read };
- class file { getattr read write append };
+ class dir r_dir_perms;
+ class file rw_file_perms;
')
##
diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te
index 78160b17..a0a1d9ae 100644
--- a/refpolicy/policy/modules/system/logging.te
+++ b/refpolicy/policy/modules/system/logging.te
@@ -53,9 +53,9 @@ allow auditd_t self:capability { audit_write audit_control };
dontaudit auditd_t self:capability sys_tty_config;
allow auditd_t self:netlink_audit_socket { bind create getattr nlmsg_read nlmsg_write read write };
-allow auditd_t auditd_log_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+allow auditd_t auditd_log_t:file create_file_perms;
-allow auditd_t auditd_var_run_t:file { getattr create read write append setattr unlink };
+allow auditd_t auditd_var_run_t:file create_file_perms;
files_create_daemon_runtime_data(auditd_t,auditd_var_run_t)
kernel_read_kernel_sysctl(auditd_t)
@@ -158,11 +158,11 @@ dontaudit syslogd_t self:capability sys_tty_config;
allow syslogd_t self:process signal_perms;
# receive messages to be logged
-allow syslogd_t self:unix_dgram_socket { create read getattr write setattr append bind connect getopt setopt shutdown };
-allow syslogd_t self:unix_stream_socket { create read getattr write setattr append bind connect getopt setopt shutdown listen accept };
+allow syslogd_t self:unix_dgram_socket create_socket_perms;
+allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
allow syslogd_t self:unix_dgram_socket sendto;
-allow syslogd_t self:fifo_file { getattr read write ioctl lock };
-allow syslogd_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
+allow syslogd_t self:fifo_file rw_file_perms;
+allow syslogd_t self:udp_socket { connected_socket_perms connect };
# create/append log files.
allow syslogd_t var_log_t:dir rw_dir_perms;
@@ -176,14 +176,14 @@ allow syslogd_t syslogd_var_run_t:file create_file_perms;
files_create_daemon_runtime_data(syslogd_t,syslogd_var_run_t,file)
# Create and bind to /dev/log or /var/run/log.
-allow syslogd_t devlog_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
+allow syslogd_t devlog_t:sock_file create_file_perms;
files_create_daemon_runtime_data(syslogd_t,devlog_t,sock_file)
# I belive these are not needed:
allow syslogd_t devlog_t:unix_stream_socket name_bind;
allow syslogd_t devlog_t:unix_dgram_socket name_bind;
# manage pid file
-allow syslogd_t syslogd_var_run_t:file { getattr create read write append setattr unlink };
+allow syslogd_t syslogd_var_run_t:file create_file_perms;
files_create_daemon_runtime_data(syslogd_t,syslogd_var_run_t)
kernel_read_hardware_state(syslogd_t)
@@ -234,7 +234,7 @@ files_ignore_search_isid_type_dir(syslogd_t)
#dontaudit syslogd_t unlabeled_t:file read;
#dontaudit syslogd_t { userpty_type devpts_t }:chr_file getattr;
allow syslogd_t self:capability net_admin;
-allow syslogd_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read };
+allow syslogd_t self:netlink_route_socket r_netlink_socket_perms;
ifdef(`klogd.te', `', `
# Allow access to /proc/kmsg for syslog-ng
diff --git a/refpolicy/policy/modules/system/mount.if b/refpolicy/policy/modules/system/mount.if
index c39ddab2..c9b9228c 100644
--- a/refpolicy/policy/modules/system/mount.if
+++ b/refpolicy/policy/modules/system/mount.if
@@ -14,7 +14,7 @@
define(`mount_transition',`
requires_block_template(`$0'_depend)
- allow $1 mount_exec_t:file { getattr read execute };
+ allow $1 mount_exec_t:file rx_file_perms;
allow $1 mount_t:process transition;
type_transition $1 mount_exec_t:process mount_t;
dontaudit $1 mount_t:process { noatsecure siginh rlimitinh };
@@ -28,7 +28,7 @@ define(`mount_transition',`
define(`mount_transition_depend',`
type mount_t, mount_exec_t;
- class file { getattr read execute };
+ class file rx_file_perms;
class process { transition noatsecure siginh rlimitinh sigchld };
class fd use;
class fifo_file rw_file_perms;
@@ -57,13 +57,13 @@ define(`mount_transition_add_role_use_terminal',`
mount_transition($1)
role $2 types mount_t;
- allow mount_t $3:chr_file { getattr read write ioctl };
+ allow mount_t $3:chr_file rw_file_perms;
')
define(`mount_transition_add_role_use_terminal_depend',`
type mount_t;
- class chr_file { getattr read write ioctl };
+ class chr_file rw_file_perms;
')
########################################
@@ -102,13 +102,13 @@ define(`mount_use_file_descriptors_depend',`
define(`mount_send_nfs_client_request',`
requires_block_template(`$0'_depend)
- allow $1 mount_t:udp_socket ioctl read getattr write setattr append bind connect getopt setopt shutdown;
+ allow $1 mount_t:udp_socket rw_socket_perms;
')
define(`mount_send_nfs_client_request_depend',`
type mount_t;
- class udp_socket { ioctl read getattr write setattr append bind connect getopt setopt shutdown };
+ class udp_socket rw_socket_perms;
')
##
diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te
index 80813666..e9d961ad 100644
--- a/refpolicy/policy/modules/system/mount.te
+++ b/refpolicy/policy/modules/system/mount.te
@@ -14,8 +14,8 @@ files_make_temporary_file(mount_tmp_t)
allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown };
-allow mount_t mount_tmp_t:file { getattr create read setattr write setattr unlink };
-allow mount_t mount_tmp_t:dir { getattr search create read setattr write setattr unlink rmdir };
+allow mount_t mount_tmp_t:file create_file_perms;
+allow mount_t mount_tmp_t:dir create_dir_perms;
kernel_read_system_state(mount_t)
kernel_ignore_use_file_descriptors(mount_t)
@@ -113,7 +113,7 @@ files_make_mountpoint(var_lib_nfs_t)
# TODO: Probably need a macro for reading/unlinking files
# for when /etc/mtab loses its type
-allow mount_t file_t:file { getattr read unlink };
+allow mount_t file_t:file { r_file_perms unlink };
ifdef(`gnome-pty-helper.te', `
allow mount_t sysadm_gph_t:fd use;
diff --git a/refpolicy/policy/modules/system/selinux.if b/refpolicy/policy/modules/system/selinux.if
index e88c067d..f3defc79 100644
--- a/refpolicy/policy/modules/system/selinux.if
+++ b/refpolicy/policy/modules/system/selinux.if
@@ -14,7 +14,7 @@
define(`selinux_checkpolicy_transition',`
requires_block_template(`$0'_depend)
- allow $1 checkpolicy_exec_t:file { getattr read execute };
+ allow $1 checkpolicy_exec_t:file rx_file_perms;
allow $1 checkpolicy_t:process transition;
type_transition $1 checkpolicy_exec_t:process checkpolicy_t;
dontaudit $1 checkpolicy_t:process { noatsecure siginh rlimitinh };
@@ -28,7 +28,7 @@ define(`selinux_checkpolicy_transition',`
define(`selinux_checkpolicy_transition_depend',`
type checkpolicy_t, checkpolicy_exec_t;
- class file { getattr read execute };
+ class file rx_file_perms
class process { transition noatsecure siginh rlimitinh sigchld sigchld };
class fd use;
class fifo_file rw_file_perms;
@@ -74,13 +74,13 @@ define(`selinux_checkpolicy_transition_add_role_use_terminal_depend',`
define(`selinux_checkpolicy_execute',`
requires_block_template(`$0'_depend)
- allow $1 checkpolicy_exec_t:file { getattr read execute execute_no_trans };
+ can_exec($1,checkpolicy_exec_t)
')
define(`selinux_checkpolicy_execute_depend',`
type checkpolicy_exec_t;
- class file { getattr read execute execute_no_trans };
+ class file { rx_file_perms execute_no_trans };
')
#######################################
@@ -96,7 +96,7 @@ define(`selinux_checkpolicy_execute_depend',`
define(`selinux_load_policy_transition',`
requires_block_template(`$0'_depend)
- allow $1 load_policy_exec_t:file { getattr read execute };
+ allow $1 load_policy_exec_t:file rx_file_perms;
allow $1 load_policy_t:process transition;
type_transition $1 load_policy_exec_t:process load_policy_t;
dontaudit $1 load_policy_t:process { noatsecure siginh rlimitinh };
@@ -110,7 +110,7 @@ define(`selinux_load_policy_transition',`
define(`selinux_load_policy_transition_depend',`
type load_policy_t, load_policy_exec_t;
- class file { getattr read execute };
+ class file rx_file_perms;
class process { transition noatsecure siginh rlimitinh sigchld };
class fd use;
class fifo_file rw_file_perms;
@@ -156,13 +156,13 @@ define(`selinux_load_policy_transition_add_role_use_terminal_depend',`
define(`selinux_load_policy_execute',`
requires_block_template(`$0'_depend)
- allow $1 load_policy_exec_t:file { getattr read execute execute_no_trans };
+ can_exec($1,load_policy_exec_t)
')
define(`selinux_load_policy_execute_depend',`
type load_policy_exec_t;
- class file { getattr read execute execute_no_trans };
+ class file { rx_file_perms execute_no_trans };
')
#######################################
@@ -172,13 +172,13 @@ define(`selinux_load_policy_execute_depend',`
define(`selinux_read_load_policy_binary',`
requires_block_template(`$0'_depend)
- allow $1 load_policy_exec_t:file { getattr read };
+ allow $1 load_policy_exec_t:file r_file_perms;
')
define(`selinux_read_load_policy_binary_depend',`
type load_policy_exec_t;
- class file { getattr read };
+ class file r_file_perms
')
#######################################
@@ -194,7 +194,7 @@ define(`selinux_read_load_policy_binary_depend',`
define(`selinux_newrole_transition',`
requires_block_template(`$0'_depend)
- allow $1 newrole_exec_t:file { getattr read execute };
+ allow $1 newrole_exec_t:file rx_file_perms;
allow $1 newrole_t:process transition;
type_transition $1 newrole_exec_t:process newrole_t;
dontaudit $1 newrole_t:process { noatsecure siginh rlimitinh };
@@ -208,7 +208,7 @@ define(`selinux_newrole_transition',`
define(`selinux_newrole_transition_depend',`
type newrole_t, newrole_exec_t;
- class file { getattr read execute };
+ class file rx_file_perms;
class process { transition noatsecure siginh rlimitinh sigchld };
class fd use;
class fifo_file rw_file_perms;
@@ -253,13 +253,13 @@ define(`selinux_newrole_transition_add_role_use_terminal_depend',`
define(`selinux_newrole_execute',`
requires_block_template(`$0'_depend)
- allow $1 newrole_exec_t:file { getattr read execute execute_no_trans };
+ can_exec($1,newrole_exec_t)
')
define(`selinux_newrole_execute_depend',`
type newrole_t, newrole_exec_t;
- class file { getattr read execute execute_no_trans };
+ class file { rx_file_perms execute_no_trans };
')
########################################
@@ -330,7 +330,7 @@ define(`selinux_newrole_use_file_descriptors_depend',`
define(`selinux_restorecon_transition',`
requires_block_template(`$0'_depend)
- allow $1 restorecon_exec_t:file { getattr read execute };
+ allow $1 restorecon_exec_t:file rx_file_perms;
allow $1 restorecon_t:process transition;
type_transition $1 restorecon_exec_t:process restorecon_t;
dontaudit $1 restorecon_t:process { noatsecure siginh rlimitinh };
@@ -344,7 +344,7 @@ define(`selinux_restorecon_transition',`
define(`selinux_restorecon_transition_depend',`
type restorecon_t, restorecon_exec_t;
- class file { getattr read execute };
+ class file rx_file_perms;
class process { transition noatsecure siginh rlimitinh sigchld };
class fd use;
class fifo_file rw_file_perms;
@@ -388,13 +388,13 @@ define(`selinux_restorecon_transition_add_role_use_terminal_depend',`
#
define(`selinux_restorecon_execute',`
requires_block_template(`$0'_depend)
-allow $1 restorecon_exec_t:file { getattr read execute execute_no_trans };
+ can_exec($1,restorecon_exec_t)
')
define(`selinux_restorecon_execute_depend',`
type restorecon_t, restorecon_exec_t;
- class file { getattr read execute execute_no_trans };
+ class file { rx_file_perms execute_no_trans };
')
########################################
@@ -410,7 +410,7 @@ define(`selinux_restorecon_execute_depend',`
define(`selinux_run_init_transition',`
requires_block_template(`$0'_depend)
- allow $1 run_init_exec_t:file { getattr read execute };
+ allow $1 run_init_exec_t:file rx_file_perms;
allow $1 run_init_t:process transition;
type_transition $1 run_init_exec_t:process run_init_t;
dontaudit $1 run_init_t:process { noatsecure siginh rlimitinh };
@@ -424,7 +424,7 @@ define(`selinux_run_init_transition',`
define(`selinux_run_init_transition_depend',`
type run_init_t, run_init_exec_t;
- class file { getattr read execute };
+ class file rx_file_perms;
class process { transition noatsecure siginh rlimitinh sigchld };
class fd use;
class fifo_file rw_file_perms;
@@ -491,7 +491,7 @@ define(`selinux_run_init_use_file_descriptors_depend',`
define(`selinux_setfiles_transition',`
requires_block_template(`$0'_depend)
- allow $1 setfiles_exec_t:file { getattr read execute };
+ allow $1 setfiles_exec_t:file rx_file_perms;
allow $1 setfiles_t:process transition;
type_transition $1 setfiles_exec_t:process setfiles_t;
dontaudit $1 setfiles_t:process { noatsecure siginh rlimitinh };
@@ -505,7 +505,7 @@ define(`selinux_setfiles_transition',`
define(`selinux_setfiles_transition_depend',`
type setfiles_t, setfiles_exec_t;
- class file { getattr read execute };
+ class file rx_file_perms;
class process { transition noatsecure siginh rlimitinh sigchld };
class fd use;
class fifo_file rw_file_perms;
@@ -550,13 +550,13 @@ define(`selinux_setfiles_transition_add_role_use_terminal_depend',`
define(`selinux_setfiles_execute',`
requires_block_template(`$0'_depend)
- allow $1 setfiles_exec_t:file { getattr read execute execute_no_trans };
+ can_exec($1,setfiles_exec_t)
')
define(`selinux_setfiles_execute_depend',`
type setfiles_exec_t;
- class file { getattr read execute execute_no_trans };
+ class file { rx_file_perms execute_no_trans };
')
########################################
@@ -566,15 +566,15 @@ define(`selinux_setfiles_execute_depend',`
define(`selinux_read_config',`
requires_block_template(`$0'_depend)
- allow $1 selinux_config_t:dir { getattr search read };
- allow $1 selinux_config_t:file { getattr read };
+ allow $1 selinux_config_t:dir r_dir_perms;
+ allow $1 selinux_config_t:file r_file_perms;
')
define(`selinux_read_config_depend',`
type selinux_config_t;
- class dir { getattr search read };
- class file { getattr read };
+ class dir r_dir_perms;
+ class file r_file_perms;
')
########################################
@@ -585,15 +585,15 @@ define(`selinux_read_default_contexts',`
requires_block_template(`$0'_depend)
allow $1 selinux_config_t:dir search;
- allow $1 default_context_t:dir { getattr search read };
- allow $1 default_context_t:file { getattr read };
+ allow $1 default_context_t:dir r_dir_perms;
+ allow $1 default_context_t:file r_file_perms;
')
define(`selinux_read_default_contexts_depend',`
type selinux_config_t, default_context_t;
- class dir { getattr search read };
- class file { getattr read };
+ class dir r_dir_perms;
+ class file r_file_perms;
')
########################################
@@ -604,15 +604,15 @@ define(`selinux_read_file_contexts',`
requires_block_template(`$0'_depend)
allow $1 selinux_config_t:dir search;
- allow $1 file_context_t:dir { getattr search read };
- allow $1 file_context_t:file { getattr read };
+ allow $1 file_context_t:dir r_dir_perms;
+ allow $1 file_context_t:file r_file_perms;
')
define(`selinux_read_file_contexts_depend',`
type selinux_config_t, file_context_t;
- class dir { getattr search read };
- class file { getattr read };
+ class dir r_dir_perms;
+ class file r_file_perms;
')
########################################
@@ -622,15 +622,15 @@ define(`selinux_read_file_contexts_depend',`
define(`selinux_read_binary_policy',`
requires_block_template(`$0'_depend)
- allow $1 policy_config_t:dir { getattr search read };
- allow $1 policy_config_t:file { getattr read };
+ allow $1 policy_config_t:dir r_dir_perms;
+ allow $1 policy_config_t:file r_file_perms;
')
define(`selinux_read_binary_policy_depend',`
type policy_config_t;
- class dir { getattr search read };
- class file { getattr read };
+ class dir r_dir_perms;
+ class file r_file_perms;
')
########################################
@@ -640,7 +640,7 @@ define(`selinux_read_binary_policy_depend',`
define(`selinux_write_binary_policy',`
requires_block_template(`$0'_depend)
- allow $1 policy_config_t:dir { getattr search read write add_name remove_name };
+ allow $1 policy_config_t:dir rw_dir_perms;
allow $1 policy_config_t:file { getattr create write unlink };
typeattribute $1 can_write_binary_policy;
')
@@ -650,7 +650,7 @@ define(`selinux_write_binary_policy_depend',`
type policy_config_t;
- class dir { getattr search read write add_name remove_name };
+ class dir rw_dir_perms;
class file { getattr create write unlink };
')
@@ -688,8 +688,8 @@ define(`selinux_manage_binary_policy',`
# FIXME: search etc_t:dir
allow $1 selinux_config_t:dir search;
- allow $1 policy_config_t:dir { getattr search read };
- allow $1 policy_config_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+ allow $1 policy_config_t:dir r_dir_perms;
+ allow $1 policy_config_t:file create_file_perms;
typeattribute $1 can_write_binary_policy;
')
@@ -697,8 +697,8 @@ define(`selinux_manage_binary_policy_depend',`
attribute can_write_binary_policy;
type selinux_config_t, policy_config_t;
- class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
- class file { create ioctl read getattr lock write setattr append link unlink rename };
+ class dir create_dir_perms;
+ class file create_file_perms;
')
########################################
@@ -710,15 +710,15 @@ define(`selinux_read_source_policy',`
# FIXME: search etc_t:dir
allow $1 selinux_config_t:dir search;
- allow $1 policy_src_t:dir { getattr search read };
- allow $1 policy_src_t:file { getattr read };
+ allow $1 policy_src_t:dir r_dir_perms;
+ allow $1 policy_src_t:file r_file_perms;
')
define(`selinux_read_source_policy_depend',`
type selinux_config_t, policy_src_t;
- class dir { getattr search read };
- class file { getattr read };
+ class dir r_dir_perms;
+ class file r_file_perms;
')
########################################
@@ -730,15 +730,15 @@ define(`selinux_manage_source_policy',`
# FIXME: search etc_t:dir
allow $1 selinux_config_t:dir search;
- allow $1 policy_src_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
- allow $1 policy_src_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+ allow $1 policy_src_t:dir create_dir_perms;
+ allow $1 policy_src_t:file create_file_perms;
')
define(`selinux_manage_source_policy_depend',`
type selinux_config_t, policy_src_t;
- class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
- class file { create ioctl read getattr lock write setattr append link unlink rename };
+ class dir create_dir_perms;
+ class file create_file_perms;
')
##
diff --git a/refpolicy/policy/modules/system/selinux.te b/refpolicy/policy/modules/system/selinux.te
index 20d4bd67..5dc7688a 100644
--- a/refpolicy/policy/modules/system/selinux.te
+++ b/refpolicy/policy/modules/system/selinux.te
@@ -98,17 +98,17 @@ domain_make_entrypoint_file(setfiles_t,setfiles_exec_t)
allow checkpolicy_t self:capability dac_override;
# able to create and modify binary policy files
-allow checkpolicy_t policy_config_t:dir { read getattr lock search ioctl add_name remove_name write };
-allow checkpolicy_t policy_config_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+allow checkpolicy_t policy_config_t:dir rw_dir_perms;
+allow checkpolicy_t policy_config_t:file create_file_perms;
# allow test policies to be created in src directories
-allow checkpolicy_t policy_src_t:dir { getattr search read write add_name remove_name };
+allow checkpolicy_t policy_src_t:dir rw_dir_perms;
type_transition checkpolicy_t policy_src_t:file policy_config_t;
# only allow read of policy source files
-allow checkpolicy_t policy_src_t:dir { getattr search read };
-allow checkpolicy_t policy_src_t:file { getattr read ioctl };
-allow checkpolicy_t policy_src_t:lnk_file { getattr read };
+allow checkpolicy_t policy_src_t:dir r_dir_perms;
+allow checkpolicy_t policy_src_t:file r_file_perms;
+allow checkpolicy_t policy_src_t:lnk_file r_file_perms;
allow checkpolicy_t selinux_config_t:dir search;
fs_get_persistent_fs_attributes(checkpolicy_t)
@@ -142,12 +142,12 @@ allow load_policy_t self:capability dac_override;
# only allow read of policy config files
allow load_policy_t policy_src_t:dir search;
-allow load_policy_t policy_config_t:dir { getattr search read };
-allow load_policy_t policy_config_t:{ file lnk_file sock_file fifo_file } { getattr read };
+allow load_policy_t policy_config_t:dir r_dir_perms;
+allow load_policy_t policy_config_t:notdevfile_class_set r_file_perms;
-allow load_policy_t selinux_config_t:dir { getattr read search };
-allow load_policy_t selinux_config_t:file { read getattr };
-allow load_policy_t selinux_config_t:lnk_file { getattr read };
+allow load_policy_t selinux_config_t:dir r_dir_perms;
+allow load_policy_t selinux_config_t:file r_file_perms;
+allow load_policy_t selinux_config_t:lnk_file r_file_perms;
kernel_get_selinuxfs_mount_point(load_policy_t)
kernel_load_selinux_policy(load_policy_t)
@@ -182,17 +182,17 @@ allow newrole_t self:capability { setuid setgid net_bind_service dac_override };
allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
allow newrole_t self:process setexec;
allow newrole_t self:fd use;
-allow newrole_t self:fifo_file { read getattr lock ioctl write append };
+allow newrole_t self:fifo_file rw_file_perms;
allow newrole_t self:unix_dgram_socket sendto;
allow newrole_t self:unix_stream_socket connectto;
-allow newrole_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write };
-allow newrole_t self:sem { associate getattr setattr create destroy read write unix_read unix_write };
-allow newrole_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write };
+allow newrole_t self:shm create_shm_perms;
+allow newrole_t self:sem create_sem_perms;
+allow newrole_t self:msgq create_msgq_perms;
allow newrole_t self:msg { send receive };
-allow newrole_t { selinux_config_t default_context_t }:dir { getattr read search };
-allow newrole_t { selinux_config_t default_context_t }:file { read getattr };
-allow newrole_t { selinux_config_t default_context_t }:lnk_file { getattr read };
+allow newrole_t { selinux_config_t default_context_t }:dir r_dir_perms;
+allow newrole_t { selinux_config_t default_context_t }:file r_file_perms;
+allow newrole_t { selinux_config_t default_context_t }:lnk_file r_file_perms;
kernel_read_system_state(newrole_t)
kernel_read_kernel_sysctl(newrole_t)
@@ -274,9 +274,9 @@ dontaudit newrole_t { home_root_t home_type }:dir search;
allow restorecon_t self:capability { dac_override dac_read_search fowner };
-allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir { getattr read search };
-allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file { read getattr };
-allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file { getattr read };
+allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir r_dir_perms;
+allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms;
+allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms;
kernel_use_file_descriptors(restorecon_t)
kernel_read_system_state(restorecon_t)
@@ -353,7 +353,7 @@ ifdef(`targeted_policy',`',`
allow run_init_t self:process setexec;
allow run_init_t self:capability setuid;
- allow run_init_t self:fifo_file { getattr read write };
+ allow run_init_t self:fifo_file rw_file_perms;
# often the administrator runs such programs from a directory that is owned
# by a different user or has restrictive SE permissions, do not want to audit
@@ -408,9 +408,9 @@ ifdef(`distro_gentoo', `
allow setfiles_t self:capability { dac_override dac_read_search fowner };
-allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir { getattr read search };
-allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file { read getattr };
-allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file { getattr read };
+allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir r_dir_perms;
+allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms;
+allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms;
kernel_read_system_state(setfiles_t)
kernel_get_selinuxfs_mount_point(setfiles_t)
diff --git a/refpolicy/policy/modules/system/selinuxutil.if b/refpolicy/policy/modules/system/selinuxutil.if
index e88c067d..f3defc79 100644
--- a/refpolicy/policy/modules/system/selinuxutil.if
+++ b/refpolicy/policy/modules/system/selinuxutil.if
@@ -14,7 +14,7 @@
define(`selinux_checkpolicy_transition',`
requires_block_template(`$0'_depend)
- allow $1 checkpolicy_exec_t:file { getattr read execute };
+ allow $1 checkpolicy_exec_t:file rx_file_perms;
allow $1 checkpolicy_t:process transition;
type_transition $1 checkpolicy_exec_t:process checkpolicy_t;
dontaudit $1 checkpolicy_t:process { noatsecure siginh rlimitinh };
@@ -28,7 +28,7 @@ define(`selinux_checkpolicy_transition',`
define(`selinux_checkpolicy_transition_depend',`
type checkpolicy_t, checkpolicy_exec_t;
- class file { getattr read execute };
+ class file rx_file_perms
class process { transition noatsecure siginh rlimitinh sigchld sigchld };
class fd use;
class fifo_file rw_file_perms;
@@ -74,13 +74,13 @@ define(`selinux_checkpolicy_transition_add_role_use_terminal_depend',`
define(`selinux_checkpolicy_execute',`
requires_block_template(`$0'_depend)
- allow $1 checkpolicy_exec_t:file { getattr read execute execute_no_trans };
+ can_exec($1,checkpolicy_exec_t)
')
define(`selinux_checkpolicy_execute_depend',`
type checkpolicy_exec_t;
- class file { getattr read execute execute_no_trans };
+ class file { rx_file_perms execute_no_trans };
')
#######################################
@@ -96,7 +96,7 @@ define(`selinux_checkpolicy_execute_depend',`
define(`selinux_load_policy_transition',`
requires_block_template(`$0'_depend)
- allow $1 load_policy_exec_t:file { getattr read execute };
+ allow $1 load_policy_exec_t:file rx_file_perms;
allow $1 load_policy_t:process transition;
type_transition $1 load_policy_exec_t:process load_policy_t;
dontaudit $1 load_policy_t:process { noatsecure siginh rlimitinh };
@@ -110,7 +110,7 @@ define(`selinux_load_policy_transition',`
define(`selinux_load_policy_transition_depend',`
type load_policy_t, load_policy_exec_t;
- class file { getattr read execute };
+ class file rx_file_perms;
class process { transition noatsecure siginh rlimitinh sigchld };
class fd use;
class fifo_file rw_file_perms;
@@ -156,13 +156,13 @@ define(`selinux_load_policy_transition_add_role_use_terminal_depend',`
define(`selinux_load_policy_execute',`
requires_block_template(`$0'_depend)
- allow $1 load_policy_exec_t:file { getattr read execute execute_no_trans };
+ can_exec($1,load_policy_exec_t)
')
define(`selinux_load_policy_execute_depend',`
type load_policy_exec_t;
- class file { getattr read execute execute_no_trans };
+ class file { rx_file_perms execute_no_trans };
')
#######################################
@@ -172,13 +172,13 @@ define(`selinux_load_policy_execute_depend',`
define(`selinux_read_load_policy_binary',`
requires_block_template(`$0'_depend)
- allow $1 load_policy_exec_t:file { getattr read };
+ allow $1 load_policy_exec_t:file r_file_perms;
')
define(`selinux_read_load_policy_binary_depend',`
type load_policy_exec_t;
- class file { getattr read };
+ class file r_file_perms
')
#######################################
@@ -194,7 +194,7 @@ define(`selinux_read_load_policy_binary_depend',`
define(`selinux_newrole_transition',`
requires_block_template(`$0'_depend)
- allow $1 newrole_exec_t:file { getattr read execute };
+ allow $1 newrole_exec_t:file rx_file_perms;
allow $1 newrole_t:process transition;
type_transition $1 newrole_exec_t:process newrole_t;
dontaudit $1 newrole_t:process { noatsecure siginh rlimitinh };
@@ -208,7 +208,7 @@ define(`selinux_newrole_transition',`
define(`selinux_newrole_transition_depend',`
type newrole_t, newrole_exec_t;
- class file { getattr read execute };
+ class file rx_file_perms;
class process { transition noatsecure siginh rlimitinh sigchld };
class fd use;
class fifo_file rw_file_perms;
@@ -253,13 +253,13 @@ define(`selinux_newrole_transition_add_role_use_terminal_depend',`
define(`selinux_newrole_execute',`
requires_block_template(`$0'_depend)
- allow $1 newrole_exec_t:file { getattr read execute execute_no_trans };
+ can_exec($1,newrole_exec_t)
')
define(`selinux_newrole_execute_depend',`
type newrole_t, newrole_exec_t;
- class file { getattr read execute execute_no_trans };
+ class file { rx_file_perms execute_no_trans };
')
########################################
@@ -330,7 +330,7 @@ define(`selinux_newrole_use_file_descriptors_depend',`
define(`selinux_restorecon_transition',`
requires_block_template(`$0'_depend)
- allow $1 restorecon_exec_t:file { getattr read execute };
+ allow $1 restorecon_exec_t:file rx_file_perms;
allow $1 restorecon_t:process transition;
type_transition $1 restorecon_exec_t:process restorecon_t;
dontaudit $1 restorecon_t:process { noatsecure siginh rlimitinh };
@@ -344,7 +344,7 @@ define(`selinux_restorecon_transition',`
define(`selinux_restorecon_transition_depend',`
type restorecon_t, restorecon_exec_t;
- class file { getattr read execute };
+ class file rx_file_perms;
class process { transition noatsecure siginh rlimitinh sigchld };
class fd use;
class fifo_file rw_file_perms;
@@ -388,13 +388,13 @@ define(`selinux_restorecon_transition_add_role_use_terminal_depend',`
#
define(`selinux_restorecon_execute',`
requires_block_template(`$0'_depend)
-allow $1 restorecon_exec_t:file { getattr read execute execute_no_trans };
+ can_exec($1,restorecon_exec_t)
')
define(`selinux_restorecon_execute_depend',`
type restorecon_t, restorecon_exec_t;
- class file { getattr read execute execute_no_trans };
+ class file { rx_file_perms execute_no_trans };
')
########################################
@@ -410,7 +410,7 @@ define(`selinux_restorecon_execute_depend',`
define(`selinux_run_init_transition',`
requires_block_template(`$0'_depend)
- allow $1 run_init_exec_t:file { getattr read execute };
+ allow $1 run_init_exec_t:file rx_file_perms;
allow $1 run_init_t:process transition;
type_transition $1 run_init_exec_t:process run_init_t;
dontaudit $1 run_init_t:process { noatsecure siginh rlimitinh };
@@ -424,7 +424,7 @@ define(`selinux_run_init_transition',`
define(`selinux_run_init_transition_depend',`
type run_init_t, run_init_exec_t;
- class file { getattr read execute };
+ class file rx_file_perms;
class process { transition noatsecure siginh rlimitinh sigchld };
class fd use;
class fifo_file rw_file_perms;
@@ -491,7 +491,7 @@ define(`selinux_run_init_use_file_descriptors_depend',`
define(`selinux_setfiles_transition',`
requires_block_template(`$0'_depend)
- allow $1 setfiles_exec_t:file { getattr read execute };
+ allow $1 setfiles_exec_t:file rx_file_perms;
allow $1 setfiles_t:process transition;
type_transition $1 setfiles_exec_t:process setfiles_t;
dontaudit $1 setfiles_t:process { noatsecure siginh rlimitinh };
@@ -505,7 +505,7 @@ define(`selinux_setfiles_transition',`
define(`selinux_setfiles_transition_depend',`
type setfiles_t, setfiles_exec_t;
- class file { getattr read execute };
+ class file rx_file_perms;
class process { transition noatsecure siginh rlimitinh sigchld };
class fd use;
class fifo_file rw_file_perms;
@@ -550,13 +550,13 @@ define(`selinux_setfiles_transition_add_role_use_terminal_depend',`
define(`selinux_setfiles_execute',`
requires_block_template(`$0'_depend)
- allow $1 setfiles_exec_t:file { getattr read execute execute_no_trans };
+ can_exec($1,setfiles_exec_t)
')
define(`selinux_setfiles_execute_depend',`
type setfiles_exec_t;
- class file { getattr read execute execute_no_trans };
+ class file { rx_file_perms execute_no_trans };
')
########################################
@@ -566,15 +566,15 @@ define(`selinux_setfiles_execute_depend',`
define(`selinux_read_config',`
requires_block_template(`$0'_depend)
- allow $1 selinux_config_t:dir { getattr search read };
- allow $1 selinux_config_t:file { getattr read };
+ allow $1 selinux_config_t:dir r_dir_perms;
+ allow $1 selinux_config_t:file r_file_perms;
')
define(`selinux_read_config_depend',`
type selinux_config_t;
- class dir { getattr search read };
- class file { getattr read };
+ class dir r_dir_perms;
+ class file r_file_perms;
')
########################################
@@ -585,15 +585,15 @@ define(`selinux_read_default_contexts',`
requires_block_template(`$0'_depend)
allow $1 selinux_config_t:dir search;
- allow $1 default_context_t:dir { getattr search read };
- allow $1 default_context_t:file { getattr read };
+ allow $1 default_context_t:dir r_dir_perms;
+ allow $1 default_context_t:file r_file_perms;
')
define(`selinux_read_default_contexts_depend',`
type selinux_config_t, default_context_t;
- class dir { getattr search read };
- class file { getattr read };
+ class dir r_dir_perms;
+ class file r_file_perms;
')
########################################
@@ -604,15 +604,15 @@ define(`selinux_read_file_contexts',`
requires_block_template(`$0'_depend)
allow $1 selinux_config_t:dir search;
- allow $1 file_context_t:dir { getattr search read };
- allow $1 file_context_t:file { getattr read };
+ allow $1 file_context_t:dir r_dir_perms;
+ allow $1 file_context_t:file r_file_perms;
')
define(`selinux_read_file_contexts_depend',`
type selinux_config_t, file_context_t;
- class dir { getattr search read };
- class file { getattr read };
+ class dir r_dir_perms;
+ class file r_file_perms;
')
########################################
@@ -622,15 +622,15 @@ define(`selinux_read_file_contexts_depend',`
define(`selinux_read_binary_policy',`
requires_block_template(`$0'_depend)
- allow $1 policy_config_t:dir { getattr search read };
- allow $1 policy_config_t:file { getattr read };
+ allow $1 policy_config_t:dir r_dir_perms;
+ allow $1 policy_config_t:file r_file_perms;
')
define(`selinux_read_binary_policy_depend',`
type policy_config_t;
- class dir { getattr search read };
- class file { getattr read };
+ class dir r_dir_perms;
+ class file r_file_perms;
')
########################################
@@ -640,7 +640,7 @@ define(`selinux_read_binary_policy_depend',`
define(`selinux_write_binary_policy',`
requires_block_template(`$0'_depend)
- allow $1 policy_config_t:dir { getattr search read write add_name remove_name };
+ allow $1 policy_config_t:dir rw_dir_perms;
allow $1 policy_config_t:file { getattr create write unlink };
typeattribute $1 can_write_binary_policy;
')
@@ -650,7 +650,7 @@ define(`selinux_write_binary_policy_depend',`
type policy_config_t;
- class dir { getattr search read write add_name remove_name };
+ class dir rw_dir_perms;
class file { getattr create write unlink };
')
@@ -688,8 +688,8 @@ define(`selinux_manage_binary_policy',`
# FIXME: search etc_t:dir
allow $1 selinux_config_t:dir search;
- allow $1 policy_config_t:dir { getattr search read };
- allow $1 policy_config_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+ allow $1 policy_config_t:dir r_dir_perms;
+ allow $1 policy_config_t:file create_file_perms;
typeattribute $1 can_write_binary_policy;
')
@@ -697,8 +697,8 @@ define(`selinux_manage_binary_policy_depend',`
attribute can_write_binary_policy;
type selinux_config_t, policy_config_t;
- class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
- class file { create ioctl read getattr lock write setattr append link unlink rename };
+ class dir create_dir_perms;
+ class file create_file_perms;
')
########################################
@@ -710,15 +710,15 @@ define(`selinux_read_source_policy',`
# FIXME: search etc_t:dir
allow $1 selinux_config_t:dir search;
- allow $1 policy_src_t:dir { getattr search read };
- allow $1 policy_src_t:file { getattr read };
+ allow $1 policy_src_t:dir r_dir_perms;
+ allow $1 policy_src_t:file r_file_perms;
')
define(`selinux_read_source_policy_depend',`
type selinux_config_t, policy_src_t;
- class dir { getattr search read };
- class file { getattr read };
+ class dir r_dir_perms;
+ class file r_file_perms;
')
########################################
@@ -730,15 +730,15 @@ define(`selinux_manage_source_policy',`
# FIXME: search etc_t:dir
allow $1 selinux_config_t:dir search;
- allow $1 policy_src_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
- allow $1 policy_src_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+ allow $1 policy_src_t:dir create_dir_perms;
+ allow $1 policy_src_t:file create_file_perms;
')
define(`selinux_manage_source_policy_depend',`
type selinux_config_t, policy_src_t;
- class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
- class file { create ioctl read getattr lock write setattr append link unlink rename };
+ class dir create_dir_perms;
+ class file create_file_perms;
')
##
diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te
index 20d4bd67..5dc7688a 100644
--- a/refpolicy/policy/modules/system/selinuxutil.te
+++ b/refpolicy/policy/modules/system/selinuxutil.te
@@ -98,17 +98,17 @@ domain_make_entrypoint_file(setfiles_t,setfiles_exec_t)
allow checkpolicy_t self:capability dac_override;
# able to create and modify binary policy files
-allow checkpolicy_t policy_config_t:dir { read getattr lock search ioctl add_name remove_name write };
-allow checkpolicy_t policy_config_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+allow checkpolicy_t policy_config_t:dir rw_dir_perms;
+allow checkpolicy_t policy_config_t:file create_file_perms;
# allow test policies to be created in src directories
-allow checkpolicy_t policy_src_t:dir { getattr search read write add_name remove_name };
+allow checkpolicy_t policy_src_t:dir rw_dir_perms;
type_transition checkpolicy_t policy_src_t:file policy_config_t;
# only allow read of policy source files
-allow checkpolicy_t policy_src_t:dir { getattr search read };
-allow checkpolicy_t policy_src_t:file { getattr read ioctl };
-allow checkpolicy_t policy_src_t:lnk_file { getattr read };
+allow checkpolicy_t policy_src_t:dir r_dir_perms;
+allow checkpolicy_t policy_src_t:file r_file_perms;
+allow checkpolicy_t policy_src_t:lnk_file r_file_perms;
allow checkpolicy_t selinux_config_t:dir search;
fs_get_persistent_fs_attributes(checkpolicy_t)
@@ -142,12 +142,12 @@ allow load_policy_t self:capability dac_override;
# only allow read of policy config files
allow load_policy_t policy_src_t:dir search;
-allow load_policy_t policy_config_t:dir { getattr search read };
-allow load_policy_t policy_config_t:{ file lnk_file sock_file fifo_file } { getattr read };
+allow load_policy_t policy_config_t:dir r_dir_perms;
+allow load_policy_t policy_config_t:notdevfile_class_set r_file_perms;
-allow load_policy_t selinux_config_t:dir { getattr read search };
-allow load_policy_t selinux_config_t:file { read getattr };
-allow load_policy_t selinux_config_t:lnk_file { getattr read };
+allow load_policy_t selinux_config_t:dir r_dir_perms;
+allow load_policy_t selinux_config_t:file r_file_perms;
+allow load_policy_t selinux_config_t:lnk_file r_file_perms;
kernel_get_selinuxfs_mount_point(load_policy_t)
kernel_load_selinux_policy(load_policy_t)
@@ -182,17 +182,17 @@ allow newrole_t self:capability { setuid setgid net_bind_service dac_override };
allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
allow newrole_t self:process setexec;
allow newrole_t self:fd use;
-allow newrole_t self:fifo_file { read getattr lock ioctl write append };
+allow newrole_t self:fifo_file rw_file_perms;
allow newrole_t self:unix_dgram_socket sendto;
allow newrole_t self:unix_stream_socket connectto;
-allow newrole_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write };
-allow newrole_t self:sem { associate getattr setattr create destroy read write unix_read unix_write };
-allow newrole_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write };
+allow newrole_t self:shm create_shm_perms;
+allow newrole_t self:sem create_sem_perms;
+allow newrole_t self:msgq create_msgq_perms;
allow newrole_t self:msg { send receive };
-allow newrole_t { selinux_config_t default_context_t }:dir { getattr read search };
-allow newrole_t { selinux_config_t default_context_t }:file { read getattr };
-allow newrole_t { selinux_config_t default_context_t }:lnk_file { getattr read };
+allow newrole_t { selinux_config_t default_context_t }:dir r_dir_perms;
+allow newrole_t { selinux_config_t default_context_t }:file r_file_perms;
+allow newrole_t { selinux_config_t default_context_t }:lnk_file r_file_perms;
kernel_read_system_state(newrole_t)
kernel_read_kernel_sysctl(newrole_t)
@@ -274,9 +274,9 @@ dontaudit newrole_t { home_root_t home_type }:dir search;
allow restorecon_t self:capability { dac_override dac_read_search fowner };
-allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir { getattr read search };
-allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file { read getattr };
-allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file { getattr read };
+allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir r_dir_perms;
+allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms;
+allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms;
kernel_use_file_descriptors(restorecon_t)
kernel_read_system_state(restorecon_t)
@@ -353,7 +353,7 @@ ifdef(`targeted_policy',`',`
allow run_init_t self:process setexec;
allow run_init_t self:capability setuid;
- allow run_init_t self:fifo_file { getattr read write };
+ allow run_init_t self:fifo_file rw_file_perms;
# often the administrator runs such programs from a directory that is owned
# by a different user or has restrictive SE permissions, do not want to audit
@@ -408,9 +408,9 @@ ifdef(`distro_gentoo', `
allow setfiles_t self:capability { dac_override dac_read_search fowner };
-allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir { getattr read search };
-allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file { read getattr };
-allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file { getattr read };
+allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir r_dir_perms;
+allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms;
+allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms;
kernel_read_system_state(setfiles_t)
kernel_get_selinuxfs_mount_point(setfiles_t)
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 9619912d..c7e0fc1b 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -48,14 +48,14 @@ define(`base_user_domain',`
allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
allow $1_t self:process { ptrace setfscreate };
allow $1_t self:fd use;
- allow $1_t self:fifo_file { read getattr lock ioctl write append };
- allow $1_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
- allow $1_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
+ allow $1_t self:fifo_file rw_file_perms;
+ allow $1_t self:unix_dgram_socket create_socket_perms;
+ allow $1_t self:unix_stream_socket rw_stream_socket_perms;
allow $1_t self:unix_dgram_socket sendto;
allow $1_t self:unix_stream_socket connectto;
- allow $1_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write };
- allow $1_t self:sem { associate getattr setattr create destroy read write unix_read unix_write };
- allow $1_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write };
+ allow $1_t self:shm create_shm_perms;
+ allow $1_t self:sem create_sem_perms;
+ allow $1_t self:msgq create_msgq_perms;
allow $1_t self:msg { send receive };
dontaudit $1_t self:socket create;
# Irrelevant until we have labeled networking.
@@ -66,31 +66,31 @@ define(`base_user_domain',`
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
# execute files in the home directory
- allow $1_t $1_home_t:file { getattr read execute execute_no_trans };
+ allow $1_t $1_home_t:file { rx_file_perms execute_no_trans };
# full control of the home directory
- allow $1_t $1_home_t:file { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto };
- allow $1_t $1_home_t:lnk_file { create read getattr setattr link unlink rename relabelfrom relabelto };
- allow $1_t $1_home_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto };
- allow $1_t $1_home_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto };
- allow $1_t $1_home_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto };
- allow $1_t $1_home_dir_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
- type_transition $1_t $1_home_dir_t:{ file lnk_file dir sock_file fifo_file } $1_home_t;
+ allow $1_t $1_home_t:file { create_file_perms relabelfrom relabelto };
+ allow $1_t $1_home_t:lnk_file { create_lnk_perms relabelfrom relabelto };
+ allow $1_t $1_home_t:dir { create_dir_perms relabelfrom relabelto };
+ allow $1_t $1_home_t:sock_file { create_file_perms relabelfrom relabelto };
+ allow $1_t $1_home_t:fifo_file { create_file_perms relabelfrom relabelto };
+ allow $1_t $1_home_dir_t:dir create_dir_perms;
+ type_transition $1_t $1_home_dir_t:{ dir notdevfile_class_set } $1_home_t;
- allow $1_t $1_tmp_t:file { getattr read execute execute_no_trans };
+ allow $1_t $1_tmp_t:file { rx_file_perms execute_no_trans };
# Bind to a Unix domain socket in /tmp.
# cjp: this is combination is not checked and should be removed
allow $1_t $1_tmp_t:unix_stream_socket name_bind;
- allow $1_t $1_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write };
- allow $1_t $1_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename };
- allow $1_t $1_tmpfs_t:lnk_file { create read getattr setattr link unlink rename };
- allow $1_t $1_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
- allow $1_t $1_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
- fs_create_private_tmpfs_data($1_t,$1_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+ allow $1_t $1_tmpfs_t:dir rw_dir_perms;
+ allow $1_t $1_tmpfs_t:file create_file_perms;
+ allow $1_t $1_tmpfs_t:lnk_file create_lnk_perms;
+ allow $1_t $1_tmpfs_t:sock_file create_file_perms;
+ allow $1_t $1_tmpfs_t:fifo_file create_file_perms;
+ fs_create_private_tmpfs_data($1_t,$1_tmpfs_t, { dir notdevfile_class_set } )
- allow $1_t $1_tty_device_t:chr_file { setattr getattr read write append ioctl lock };
+ allow $1_t $1_tty_device_t:chr_file { setattr rw_file_perms };
allow $1_t unpriv_userdomain:fd use;
@@ -223,7 +223,7 @@ define(`base_user_domain',`
dontaudit $1_t usr_t:file setattr;
# Access the power device.
- allow $1_t power_device_t:chr_file { getattr read write ioctl };
+ allow $1_t power_device_t:chr_file rw_file_perms;
# Check to see if cdrom is mounted
allow $1_t mnt_t:dir { getattr search };
@@ -272,7 +272,7 @@ define(`base_user_domain',`
dontaudit $1_t sysctl_t:dir_file_class_set getattr;
dontaudit $1_t proc_fs:dir { read search };
- allow $1_t autofs_t:dir { search getattr };
+ allow $1_t autofs_t:dir { getattr search };
can_exec($1_t, { removable_t noexattrfile } )
if (user_rw_noexattrfile) {
@@ -320,7 +320,7 @@ define(`base_user_domain',`
# Gnome pannel binds to the following
ifdef(`cups.te', `
- allow $1_t { cupsd_etc_t cupsd_rw_etc_t }:file { read getattr };
+ allow $1_t { cupsd_etc_t cupsd_rw_etc_t }:file r_file_perms;
')
# Connect to inetd.
@@ -350,13 +350,13 @@ define(`base_user_domain',`
can_unix_connect($1_t, xdm_t)
allow $1_t xdm_tmp_t:sock_file rw_file_perms;
allow $1_t xdm_tmp_t:dir r_dir_perms;
- allow $1_t xdm_tmp_t:file { getattr read };
+ allow $1_t xdm_tmp_t:file r_file_perms;
allow $1_t xdm_xserver_tmp_t:sock_file { read write };
allow $1_t xdm_xserver_tmp_t:dir search;
allow $1_t xdm_xserver_t:unix_stream_socket connectto;
# certain apps want to read xdm.pid file
r_dir_file($1_t, xdm_var_run_t)
- allow $1_t xdm_var_lib_t:file { getattr read };
+ allow $1_t xdm_var_lib_t:file r_file_perms;
allow xdm_t $1_home_dir_t:dir getattr;
ifdef(`xauth.te', `
file_type_auto_trans(xdm_t, $1_home_dir_t, $1_xauth_home_t, file)
@@ -373,7 +373,7 @@ define(`base_user_domain',`
ifdef(`cardmgr.te', `
# to allow monitoring of pcmcia status
- allow $1_t cardmgr_var_run_t:file { getattr read };
+ allow $1_t cardmgr_var_run_t:file r_file_perms;
')
#
@@ -385,7 +385,7 @@ define(`base_user_domain',`
')
ifdef(`automount.te', `
- allow $1_t autofs_t:dir { search getattr };
+ allow $1_t autofs_t:dir { getattr search };
')
ifdef(`pamconsole.te', `
@@ -434,20 +434,20 @@ define(`user_domain_template', `
allow $1_file_type $1_home_t:filesystem associate;
# user temporary files
- allow $1_t $1_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };
- allow $1_t $1_tmp_t:lnk_file { create read getattr setattr link unlink rename };
- allow $1_t $1_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
- allow $1_t $1_tmp_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
- allow $1_t $1_tmp_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
- files_create_private_tmp_data($1_t, $1_tmp_t, { file lnk_file dir sock_file fifo_file })
+ allow $1_t $1_tmp_t:file create_file_perms;
+ allow $1_t $1_tmp_t:lnk_file create_lnk_perms;
+ allow $1_t $1_tmp_t:dir create_dir_perms;
+ allow $1_t $1_tmp_t:sock_file create_file_perms;
+ allow $1_t $1_tmp_t:fifo_file create_file_perms;
+ files_create_private_tmp_data($1_t, $1_tmp_t, { dir notdevfile_class_set })
# privileged home directory writers
- allow privhome $1_home_t:file { create ioctl read getattr lock write setattr append link unlink rename };
- allow privhome $1_home_t:lnk_file { create read getattr setattr link unlink rename };
- allow privhome $1_home_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
- allow privhome $1_home_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
- allow privhome $1_home_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
- type_transition privhome $1_home_dir_t:{ file lnk_file dir sock_file fifo_file } $1_home_t;
+ allow privhome $1_home_t:file create_file_perms;
+ allow privhome $1_home_t:lnk_file create_lnk_perms;
+ allow privhome $1_home_t:dir create_dir_perms;
+ allow privhome $1_home_t:sock_file create_file_perms;
+ allow privhome $1_home_t:fifo_file create_file_perms;
+ type_transition privhome $1_home_dir_t:{ dir notdevfile_class_set } $1_home_t;
kernel_read_system_state($1_t)
kernel_read_network_state($1_t)
@@ -645,12 +645,12 @@ define(`admin_domain_template',`
allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
terminal_create_private_pseudoterminal($1_t,$1_devpts_t)
- allow $1_t $1_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
- allow $1_t $1_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };
- allow $1_t $1_tmp_t:lnk_file { create ioctl read getattr lock write setattr append link unlink rename };
- allow $1_t $1_tmp_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
- allow $1_t $1_tmp_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
- files_create_private_tmp_data($1_t, $1_tmp_t, { file dir lnk_file sock_file fifo_file })
+ allow $1_t $1_tmp_t:dir create_dir_perms;
+ allow $1_t $1_tmp_t:file create_file_perms;
+ allow $1_t $1_tmp_t:lnk_file create_file_perms;
+ allow $1_t $1_tmp_t:fifo_file create_file_perms;
+ allow $1_t $1_tmp_t:sock_file create_file_perms;
+ files_create_private_tmp_data($1_t, $1_tmp_t, { dir notdevfile_class_set })
kernel_read_system_state($1_t)
kernel_read_network_state($1_t)
@@ -931,15 +931,15 @@ define(`userdomain_read_all_users_data',`
requires_block_template(`$0'_depend)
files_list_home_directories($1)
- allow $1 home_type:dir { getattr search read };
- allow $1 home_type:file { getattr read };
+ allow $1 home_type:dir r_dir_perms;
+ allow $1 home_type:file r_file_perm;
')
define(`userdomain_read_all_users_data_depend',`
attribute home_type;
- class dir { getattr search read };
- class file { getattr read };
+ class dir r_dir_perms;
+ class file r_file_perms;
')
########################################