aliases

2005-06-09 14:50:48 +00:00 · 2005-06-09 14:50:48 +00:00 · dd822947d2
commit dd822947d2
parent 80048ca5d2
18 changed files with 458 additions and 293 deletions
--- a/refpolicy/policy/modules/system/authlogin.if
+++ b/refpolicy/policy/modules/system/authlogin.if
@ -1,6 +1,22 @@
 ## <module name="authlogin" layer="system">
 ## <summary>Common policy for authentication and user login.</summary>
 ########################################
 ## <interface name="authlogin_per_userdomain_template">
 ##	<description>
 ##		
 ##	</description>
 ##      <securitydesc>
 ##              ...
 ##      </securitydesc>
 ##	<parameter name="userdomain_prefix">
 ##		
 ##	</parameter>
 ##	<infoflow type="write" weight="10"/>
 ## </interface>
 #
 #######################################
 #
 # Per user domain template for this module
@ -47,10 +63,7 @@ define(`authlogin_per_userdomain_template',`
 	#can_ldap($1_chkpwd_t)
 	# Transition from the user domain to this domain.
-	allow $1_t chkpwd_exec_t:file { getattr read execute };
+	domain_auto_trans($1,chkpwd_exec_t,$1_chkpwd_t)
 	allow $1_t $1_chkpwd_t:process transition;
 	type_transition $1_t chkpwd_exec_t:process $1_chkpwd_t;
 	dontaudit $1_t $1_chkpwd_t:process { noatsecure siginh rlimitinh };
 	allow $1_chkpwd_t $1_t:fd use;
 	allow $1_t $1_chkpwd_t:fd use;
@ -65,7 +78,7 @@ define(`authlogin_per_userdomain_template',`
 	#ifdef(`gnome-pty-helper.te',`allow $1_chkpwd_t $1_gph_t:fd use;')
 	tunable_policy(`use_dns',`
-		allow $1_chkpwd_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
+		allow $1_chkpwd_t self:udp_socket create_socket_perms;
 		corenetwork_sendrecv_udp_on_all_interfaces($1_chkpwd_t)
 		corenetwork_sendrecv_raw_on_all_interfaces($1_chkpwd_t)
 		corenetwork_sendrecv_udp_on_all_nodes($1_chkpwd_t)
@ -86,7 +99,7 @@ define(`authlogin_per_userdomain_template_depend',`
 	type chkpwd_exec_t, system_chkpwd_t, shadow_t;
-	class file { getattr read execute };
+	class file rx_file_perms;
 	class process { getattr transition sigchld };
 	class capability setuid;
 	class unix_stream_socket { create read getattr write setattr append bind connect getopt setopt shutdown }; 
@ -95,6 +108,21 @@ define(`authlogin_per_userdomain_template_depend',`
 	class fifo_file rw_file_perms;
 ')
 ########################################
 ## <interface name="authlogin_make_login_program_entrypoint">
 ##	<description>
 ##		
 ##	</description>
 ##      <securitydesc>
 ##              ...
 ##      </securitydesc>
 ##	<parameter name="domain">
 ##		
 ##	</parameter>
 ##	<infoflow type="write" weight="10"/>
 ## </interface>
 #
 #######################################
 #
 # authlogin_make_login_program_entrypoint(domain)
@ -127,7 +155,7 @@ define(`authlogin_login_program_transition',`
 	requires_block_template(`$0'_depend)
 	# FIXME: search bin_t
-	allow $1 login_exec_t:file { getattr read execute };
+	allow $1 login_exec_t:file rx_file_perms;
 	allow $1 $2:process transition;
 	type_transition $1 login_exec_t:process $2;
 	dontaudit $1 $2:process { noatsecure siginh rlimitinh };
@ -141,12 +169,26 @@ define(`authlogin_login_program_transition',`
 define(`authlogin_login_program_transition_depend',`
 	type login_exec_t;
-	class file { getattr read execute };
+	class file rx_file_perms; 
 	class process { transition noatsecure siginh rlimitinh sigchld };
 	class fd use;
 	class fifo_file rw_file_perms;
 ')
 ########################################
 ## <interface name="authlogin_check_password_transition">
 ##	<description>
 ##		
 ##	</description>
 ##      <securitydesc>
 ##              ...
 ##      </securitydesc>
 ##	<parameter name="domain">
 ##		
 ##	</parameter>
 ##	<infoflow type="write" weight="10"/>
 ## </interface>
 #
 #######################################
 #
 # authlogin_check_password_transition(domain)
@ -168,7 +210,7 @@ define(`authlogin_check_password_transition',`
 	#can_ldap($1_t)
 	tunable_policy(`use_dns',`
-		allow $1 self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
+		allow $1 self:udp_socket create_socket_perms;
 		corenetwork_sendrecv_udp_on_all_interfaces($1)
 		corenetwork_sendrecv_raw_on_all_interfaces($1)
 		corenetwork_sendrecv_udp_on_all_nodes($1)
@ -182,13 +224,27 @@ define(`authlogin_check_password_transition',`
 define(`authlogin_check_password_transition_depend',`
 	type system_chkpwd_t, chkpwd_exec_t, shadow_t;
-	class file { getattr read execute };
+	class file rx_file_perms;
 	class process { transition sigchld };                         
-	class udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
+	class udp_socket create_socket_perms;
 	class fd use;
 	class fifo_file rw_file_perms;
 ')
 ########################################
 ## <interface name="authlogin_ignore_get_shadow_passwords_attributes">
 ##	<description>
 ##		
 ##	</description>
 ##      <securitydesc>
 ##              ...
 ##      </securitydesc>
 ##	<parameter name="domain">
 ##		
 ##	</parameter>
 ##	<infoflow type="write" weight="10"/>
 ## </interface>
 #
 #######################################
 #
 # authlogin_ignore_get_shadow_passwords_attributes(domain)
@ -202,9 +258,23 @@ define(`authlogin_ignore_get_shadow_passwords_attributes',`
 define(`authlogin_ignore_get_shadow_passwords_attributes_depend',`
 	type shadow_t;
-	class file getattr;
+	class file stat_file_perms;
 ')
 ########################################
 ## <interface name="authlogin_read_shadow_passwords">
 ##	<description>
 ##		
 ##	</description>
 ##      <securitydesc>
 ##              ...
 ##      </securitydesc>
 ##	<parameter name="domain">
 ##		
 ##	</parameter>
 ##	<infoflow type="write" weight="10"/>
 ## </interface>
 #
 #######################################
 #
 # authlogin_read_shadow_passwords(domain)
@ -213,7 +283,7 @@ define(`authlogin_read_shadow_passwords',`
 	requires_block_template(`$0'_depend)
 	files_read_general_system_config_directory($1)
-	allow $1 shadow_t:file { getattr read };
+	allow $1 shadow_t:file r_file_perms;
 	typeattribute $1 can_read_shadow_passwords;
 ')
@ -222,9 +292,23 @@ define(`authlogin_read_shadow_passwords_depend',`
 	type shadow_t;
-	class file { getattr read };
+	class file r_file_perms;
 ')
 ########################################
 ## <interface name="authlogin_ignore_read_shadow_passwords">
 ##	<description>
 ##		
 ##	</description>
 ##      <securitydesc>
 ##              ...
 ##      </securitydesc>
 ##	<parameter name="domain">
 ##		
 ##	</parameter>
 ##	<infoflow type="write" weight="10"/>
 ## </interface>
 #
 #######################################
 #
 # authlogin_ignore_read_shadow_passwords(domain)
@ -238,9 +322,23 @@ define(`authlogin_ignore_read_shadow_passwords',`
 define(`authlogin_ignore_read_shadow_passwords_depend',`
 	type shadow_t;
-	class file { getattr read };
+	class file r_file_perms;
 ')
 ########################################
 ## <interface name="authlogin_modify_shadow_passwords">
 ##	<description>
 ##		
 ##	</description>
 ##      <securitydesc>
 ##              ...
 ##      </securitydesc>
 ##	<parameter name="domain">
 ##		
 ##	</parameter>
 ##	<infoflow type="write" weight="10"/>
 ## </interface>
 #
 #######################################
 #
 # authlogin_modify_shadow_passwords(domain)
@ -349,10 +447,7 @@ define(`authlogin_modify_last_login_log_depend',`
 define(`authlogin_pam_transition',`
 	requires_block_template(`$0'_depend)
-	allow $1 pam_exec_t:file { getattr read execute };
+	domain_auto_trans($1,pam_exec_t,pam_t)
 	allow $1 pam_t:process transition;
 	type_transition $1 pam_exec_t:process pam_t;
 	dontaudit $1 pam_t:process { noatsecure siginh rlimitinh };
 	allow $1 pam_t:fd use;
 	allow pam_t $1:fd use;
@ -363,7 +458,7 @@ define(`authlogin_pam_transition',`
 define(`authlogin_pam_transition_depend',`
 	type pam_t, pam_exec_t;
-	class file { getattr read execute };
+	class file rx_file_perms;
 	class process { transition noatsecure siginh rlimitinh sigchld };
 	class fd
 	class fifo_file rw_file_perms;
@ -381,7 +476,7 @@ define(`authlogin_pam_transition_depend',`
 ##		The role to allow the PAM domain.
 ##	</parameter>
 ##	<parameter name="terminal">
-##		The type of the terminal allow the PAM domain to use.
+B##		The type of the terminal allow the PAM domain to use.
 ##	</parameter>
 ##	<infoflow type="both" weight="10"/>
 ## </interface>
@ -391,15 +486,29 @@ define(`authlogin_pam_transition_add_role_use_terminal',`
 	authlogin_pam_transition($1)
 	role $2 types pam_t;
-	allow pam_t $3:chr_file { getattr read write ioctl };
+	allow pam_t $3:chr_file rw_file_perms;
 ')
 define(`authlogin_pam_transition_add_role_use_terminal_depend',`
 	type pam_t;
-	class chr_file { getattr read write ioctl };
+	class chr_file rw_file_perms;
 ')
 ########################################
 ## <interface name="authlogin_pam_execute">
 ##	<description>
 ##		
 ##	</description>
 ##      <securitydesc>
 ##              ...
 ##      </securitydesc>
 ##	<parameter name="domain">
 ##		
 ##	</parameter>
 ##	<infoflow type="write" weight="10"/>
 ## </interface>
 #
 #######################################
 #
 # authlogin_pam_execute(domain)
@ -407,7 +516,7 @@ define(`authlogin_pam_transition_add_role_use_terminal_depend',`
 define(`authlogin_pam_execute',`
 	requires_block_template(`$0'_depend)
-	allow $1 pam_exec_t:file { getattr read execute execute_no_trans };
+	can_exec($1,pam_exec_file_t)
 ')
 define(`authlogin_pam_execute_depend',`
@ -425,17 +534,31 @@ define(`authlogin_pam_read_runtime_data',`
 	files_search_system_state_data_directory($1)
 	files_search_runtime_data_directory($1)
-	allow $1 pam_var_run_t:dir { getattr search read };
+	allow $1 pam_var_run_t:dir r_dir_perms;
-	allow $1 pam_var_run_t:file { getattr read };
+	allow $1 pam_var_run_t:file r_file_perms;
 ')
 define(`authlogin_pam_read_runtime_data_depend',`
 	type pam_var_run_t;
-	class dir { getattr search read };
+	class dir r_dir_perms;
-	class file { getattr read };
+	class file r_file_perms;
 ')
 ########################################
 ## <interface name="authlogin_pam_remove_runtime_data">
 ##	<description>
 ##		
 ##	</description>
 ##      <securitydesc>
 ##              ...
 ##      </securitydesc>
 ##	<parameter name="domain">
 ##		
 ##	</parameter>
 ##	<infoflow type="write" weight="10"/>
 ## </interface>
 #
 #######################################
 #
 # authlogin_pam_remove_runtime_data(domain)
@ -463,10 +586,7 @@ define(`authlogin_pam_remove_runtime_data_depend',`
 define(`authlogin_pam_console_transition',`
 	requires_block_template(`$0'_depend)
-	allow $1 pam_console_exec_t:file { getattr read execute };
+	domain_auto_trans($1,pam_console_exec_t,pam_console_t)
 	allow $1 pam_console_t:process transition;
 	type_transition $1 pam_console_exec_t:process pam_console_t;
 	dontaudit $1 pam_console_t:process { noatsecure siginh rlimitinh };
 	allow $1 pam_console_t:fd use;
 	allow pam_console_t $1:fd use;
@ -477,12 +597,26 @@ define(`authlogin_pam_console_transition',`
 define(`authlogin_pam_console_transition_depend',`
 	type pam_console_t, pam_console_exec_t;
-	class file { getattr read execute };
+	class file rx_file_perms;
 	class process { transition noatsecure siginh rlimitinh sigchld };
 	class fd use;
 	class fifo_file rw_file_perms;
 ')
 ########################################
 ## <interface name="authlogin_pam_console_read_runtime_data_dir">
 ##	<description>
 ##		
 ##	</description>
 ##      <securitydesc>
 ##              ...
 ##      </securitydesc>
 ##	<parameter name="domain">
 ##		
 ##	</parameter>
 ##	<infoflow type="write" weight="10"/>
 ## </interface>
 #
 #######################################
 #
 # authlogin_pam_console_read_runtime_data_dir(domain)
@ -530,17 +664,17 @@ define(`authlogin_pam_console_manage_runtime_data',`
 	files_search_system_state_data_directory($1)
 	files_search_runtime_data_directory($1)
-	allow $1 pam_var_console_t:dir { read getattr lock search ioctl add_name remove_name write };
+	allow $1 pam_var_console_t:dir rw_dir_perms;
-	allow $1 pam_var_console_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+B	allow $1 pam_var_console_t:file create_file_perms;
-	allow $1 pam_var_console_t:lnk_file { create read getattr setattr link unlink rename };
+	allow $1 pam_var_console_t:lnk_file create_lnk_perms;
 ')
 define(`authlogin_pam_console_manage_runtime_data_depend',`
 	type pam_var_console_t;
-	class dir { read getattr lock search ioctl add_name remove_name write };
+	class dir rw_dir_perms;
-	class file { create ioctl read getattr lock write setattr append link unlink rename };
+	class file create_file_perms;
-	class lnk_file { create read getattr setattr link unlink rename };
+	class lnk_file create_lnk_perms;
 ')
 ########################################
@ -611,10 +745,7 @@ define(`authlogin_manage_all_files_except_shadow_depend',`
 define(`authlogin_utempter_transition',`
 	requires_block_template(`$0'_depend)
-	allow $1 utempter_exec_t:file { getattr read execute };
+	domain_auto_trans($1,utempter_exec_t,utempter_t)
 	allow $1 utempter_t:process transition;
 	type_transition $1 utempter_exec_t:process utempter_t;
 	dontaudit $1 utempter_t:process { noatsecure siginh rlimitinh };
 	allow $1 utempter_t:fd use;
 	allow utempter_t $1:fd use;
@ -625,7 +756,7 @@ define(`authlogin_utempter_transition',`
 define(`authlogin_utempter_transition_depend',`
 	type utempter_t, utempter_exec_t;
-	class file { getattr read execute };
+	class file rx_file_perms;
 	class process { transition noatsecure siginh rlimitinh sigchld };
 	class fd use;
 	class fifo_file rw_file_perms;
@ -653,15 +784,29 @@ define(`authlogin_utempter_transition_add_role_use_terminal',`
 	authlogin_utempter_transition($1)
 	role $2 types utempter_t;
-	allow utempter_t $3:chr_file { getattr read write ioctl };
+	allow utempter_t $3:chr_file rw_file_perms;
 ')
 define(`authlogin_utempter_transition_add_role_use_terminal_depend',`
 	type utempter_t;
-	class chr_file { getattr read write ioctl };
+	class chr_file rw_file_perms;
 ')
 ########################################
 ## <interface name="authlogin_read_login_records">
 ##	<description>
 ##		
 ##	</description>
 ##      <securitydesc>
 ##              ...
 ##      </securitydesc>
 ##	<parameter name="domain">
 ##		
 ##	</parameter>
 ##	<infoflow type="write" weight="10"/>
 ## </interface>
 #
 #######################################
 #
 # authlogin_read_login_records(domain)
@ -670,15 +815,26 @@ define(`authlogin_read_login_records',`
 	requires_block_template(`$0'_depend)
 	logging_search_system_log_directory($1)
-	allow $1 wtmp_t:file { getattr read };
+	allow $1 wtmp_t:file r_file_perms;
 ')
 define(`authlogin_read_login_records_depend',`
 	type wtmp_t;
-	class file { getattr read };
+	class file r_file_perms;
 ')
 ########################################
 ## <interface name="authlogin_ignore_write_login_records">
 ##	<description>
 ##		
 ##	</description>
 ##	<parameter name="domain">
 ##		
 ##	</parameter>
 ##	<infoflow type="write" weight="10"/>
 ## </interface>
 #
 #######################################
 #
 # authlogin_ignore_write_login_records(domain)
--- a/refpolicy/policy/modules/system/authlogin.te
+++ b/refpolicy/policy/modules/system/authlogin.te
@ -74,21 +74,21 @@ allow pam_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit exec
 dontaudit pam_t self:capability sys_tty_config;
 allow pam_t self:fd use;
-allow pam_t self:fifo_file { read getattr lock ioctl write append };
+allow pam_t self:fifo_file rw_file_perms;
-allow pam_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
+allow pam_t self:unix_dgram_socket create_socket_perms; 
-allow pam_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
+allow pam_t self:unix_stream_socket rw_stream_socket_perms;
 allow pam_t self:unix_dgram_socket sendto;
 allow pam_t self:unix_stream_socket connectto;
-allow pam_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write };
+allow pam_t self:shm create_shm_perms;
-allow pam_t self:sem { associate getattr setattr create destroy read write unix_read unix_write };
+allow pam_t self:sem create_sem_perms;
-allow pam_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write };
+allow pam_t self:msgq create_msgq_perms;
 allow pam_t self:msg { send receive };
 allow pam_t pam_var_run_t:dir { search getattr read write remove_name };
 allow pam_t pam_var_run_t:file { getattr read unlink };
-allow pam_t pam_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
+allow pam_t pam_tmp_t:dir create_dir_perms;
-allow pam_t pam_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+allow pam_t pam_tmp_t:file create_file_perms;
 files_create_private_tmp_data(pam_t, pam_tmp_t, { file dir })
 kernel_read_system_state(pam_t)
@ -132,9 +132,9 @@ dontaudit pam_console_t self:capability sys_tty_config;
 allow pam_console_t self:process { sigchld sigkill sigstop signull signal };
 # for /var/run/console.lock checking
-allow pam_console_t pam_var_console_t:dir { getattr read search };
+allow pam_console_t pam_var_console_t:dir r_dir_perms;;
-allow pam_console_t pam_var_console_t:file { read getattr };
+allow pam_console_t pam_var_console_t:file r_file_perms;
-allow pam_console_t pam_var_console_t:lnk_file { getattr read };
+allow pam_console_t pam_var_console_t:lnk_file r_file_perms;
 kernel_read_kernel_sysctl(pam_console_t)
 kernel_read_system_state(pam_console_t)
@ -254,7 +254,7 @@ miscfiles_read_localization(system_chkpwd_t)
 selinux_read_config(system_chkpwd_t)
 tunable_policy(`use_dns',`
-	allow system_chkpwd_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
+	allow system_chkpwd_t self:udp_socket create_socket_perms;
 	corenetwork_sendrecv_udp_on_all_interfaces(system_chkpwd_t)
 	corenetwork_sendrecv_raw_on_all_interfaces(system_chkpwd_t)
 	corenetwork_sendrecv_udp_on_all_nodes(system_chkpwd_t)
@ -278,9 +278,9 @@ dontaudit system_chkpwd_t user_tty_type:chr_file rw_file_perms;
 #
 allow utempter_t self:capability setgid;
-allow utempter_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
+allow utempter_t self:unix_stream_socket rw_stream_socket_perms;
-allow utempter_t wtmp_t:file { ioctl read getattr lock write append };
+allow utempter_t wtmp_t:file rw_file_perms;
 terminal_get_all_private_physical_terminal_attributes(utempter_t)
 terminal_get_all_private_pseudoterminal_attributes(utempter_t)
--- a/refpolicy/policy/modules/system/clock.if
+++ b/refpolicy/policy/modules/system/clock.if
@ -26,7 +26,7 @@ define(`clock_transition',`
 define(`clock_transition_depend',`
 	type hwclock_t, hwclock_exec_t;
-	class file { getattr read execute };
+	class file rx_file_perms;
 	class process { transition noatsecure siginh rlimitinh sigchld };
 	class fd use;
 	class fifo_file rw_file_perms;
--- a/refpolicy/policy/modules/system/clock.te
+++ b/refpolicy/policy/modules/system/clock.te
@ -19,7 +19,7 @@ role system_r types hwclock_t;
 # Local policy
 #
-allow hwclock_t self:process { sigchld sigkill sigstop signull signal };
+allow hwclock_t self:process signal_perms;
 # Give hwclock the capabilities it requires.  dac_override is a surprise,
 # but hwclock does require it.
@ -83,7 +83,7 @@ allow hwclock_t proc_t:lnk_file read;
 optional_policy(`rhgb.te', `
 allow hwclock_t rhgb_t:process sigchld;
 allow hwclock_t rhgb_t:fd use;
-allow hwclock_t rhgb_t:fifo_file { read write };
+allow hwclock_t rhgb_t:fifo_file rw_file_perms;
 ')
 allow hwclock_t autofs_t:dir { search getattr };
--- a/refpolicy/policy/modules/system/corecommands.if
+++ b/refpolicy/policy/modules/system/corecommands.if
@ -41,13 +41,13 @@ define(`corecommands_search_general_programs_directory_depend',`
 define(`corecommands_read_general_programs_directory',`
 	requires_block_template(`$0'_depend)
-	allow $1 bin_t:dir { getattr search read };
+	allow $1 bin_t:dir r_dir_perms;
 ')
 define(`corecommands_read_general_programs_directory_depend',`
 	type bin_t;
-	class dir { getattr search read };
+	class dir r_dir_perms;
 ')
 ########################################
@ -57,16 +57,17 @@ define(`corecommands_read_general_programs_directory_depend',`
 define(`corecommands_execute_general_programs',`
 	requires_block_template(`$0'_depend)
-	allow $1 bin_t:dir { getattr search read };
+	allow $1 bin_t:dir r_dir_perms;
-	allow $1 bin_t:lnk_file { getattr read };
+	allow $1 bin_t:lnk_file r_file_perms;
-	allow $1 bin_t:file { getattr read ioctl lock execute execute_no_trans };
+	can_exec($1,bin_t)
 ')
 define(`corecommands_execute_general_programs_depend',`
 	type bin_t;
-	class dir { getattr search read };
+	class dir r_dir_perms;
-	class lnk_file { getattr read };
+	class lnk_file r_file_perms;
 	class file { getattr read ioctl lock execute execute_no_trans };
 ')
@ -125,16 +126,17 @@ define(`corecommands_ignore_get_system_programs_attributes_depend',`
 define(`corecommands_execute_system_programs',`
 	requires_block_template(`$0'_depend)
-	allow $1 sbin_t:dir { getattr search read };
+	allow $1 sbin_t:dir r_dir_perms;
-	allow $1 sbin_t:lnk_file { getattr read };
+	allow $1 sbin_t:lnk_file r_file_perms;
-	allow $1 sbin_t:file { getattr read ioctl lock execute execute_no_trans };
+	can_exec($1,sbin_t)
 ')
 define(`corecommands_execute_system_programs_depend',`
 	type sbin_t;
-	class dir { getattr search read };
+	class dir r_dir_perms;
-	class lnk_file { getattr read };
+	class lnk_file r_file_perms;
 	class file { getattr read ioctl lock execute execute_no_trans };
 ')
@ -146,15 +148,15 @@ define(`corecommands_execute_shell',`
 	requires_block_template(`$0'_depend)
 	allow $1 bin_t:dir r_dir_perms;
-	allow $1 bin_t:lnk_file { getattr read };
+	allow $1 bin_t:lnk_file r_file_perms;
-	allow $1 shell_exec_t:file { getattr read lock ioctl execute execute_no_trans };
+	can_exec($1,shell_exec_t)
 ')
 define(`corecommands_execute_shell_depend',`
 	type bin_t, shell_exec_t;
 	class dir r_dir_perms;
-	class lnk_file { getattr read };
+	class lnk_file r_file_perms;
 	class file { getattr read lock ioctl execute execute_no_trans };
 ')
@ -166,15 +168,15 @@ define(`corecommands_execute_ls',`
 	requires_block_template(`$0'_depend)
 	allow $1 bin_t:dir r_dir_perms;
-	allow $1 bin_t:lnk_file { getattr read };
+	allow $1 bin_t:lnk_file r_file_perms;
-	allow $1 ls_exec_t:file { getattr read lock ioctl execute execute_no_trans };
+	can_exec($1,ls_exec_t)
 ')
 define(`corecommands_execute_shell_depend',`
 	type bin_t, ls_exec_t;
 	class dir r_dir_perms;
-	class lnk_file { getattr read };
+	class lnk_file r_file_perms;
 	class file { getattr read lock ioctl execute execute_no_trans };
 ')
@ -197,9 +199,9 @@ define(`corecommands_execute_shell_depend',`
 define(`corecommands_shell_explicit_transition',`
 	requires_block_template(`$0'_depend)
-	allow $1 bin_t:dir { getattr search read };
+	allow $1 bin_t:dir r_dir_perms;
-	allow $1 bin_t:lnk_file { getattr read };
+	allow $1 bin_t:lnk_file r_file_perms;
-	allow $1 shell_exec_t:file { getattr read execute };
+	allow $1 shell_exec_t:file rx_file_perms
 	allow $1 $2:process transition;
 	dontaudit $1 $2:process { noatsecure siginh rlimitinh };
@ -212,9 +214,9 @@ define(`corecommands_shell_explicit_transition',`
 define(`corecommands_shell_explicit_transition_depend',`
 	type bin_t, shell_exec_t;
-	class dir { getattr search read };
+	class dir r_dir_perms;
-	class lnk_file { getattr read };
+	class lnk_file r_file_perms;
-	class file { getattr read execute };
+	class file rx_file_perms
 	class process { transition noatsecure siginh rlimitinh sigchld };
 	class fd use;
 	class fifo_file rw_file_perms;
--- a/refpolicy/policy/modules/system/domain.if
+++ b/refpolicy/policy/modules/system/domain.if
@ -12,8 +12,8 @@ define(`domain_make_base_domain',`
 	typeattribute $1 domain;
 	# allow the domain to read its /proc/pid entries
-	allow $1 self:dir { getattr search read };
+	allow $1 self:dir r_dir_perms;
-	allow $1 self:{ file lnk_file } { getattr read write ioctl };
+	allow $1 self:{ file lnk_file } rw_file_perms;
 	# allow $1 to create child processes in this domain
 	allow $1 self:process { fork sigchld };
@ -22,9 +22,9 @@ define(`domain_make_base_domain',`
 define(`domain_make_base_domain_depend',`
 	attribute domain;
-	class dir { getattr search read };
+	class dir r_dir_perms;
-	class file { getattr read write ioctl };
+	class file rw_file_perms;
-	class lnk_file { getattr read };
+	class lnk_file r_file_perms;
 ')
 ########################################
@ -264,9 +264,9 @@ define(`domain_kill_all_domains_depend',`
 define(`domain_read_all_domains_process_state',`
 	requires_block_template(`$0'_depend)
-	allow $1 domain:dir { getattr search read };
+	allow $1 domain:dir r_dir_perms;
-	allow $1 domain:lnk_file { getattr read };
+	allow $1 domain:lnk_file r_file_perms;
-	allow $1 domain:file { getattr read };
+	allow $1 domain:file r_file_perms;
 	allow $1 domain:process getattr;
 	# We need to suppress this denial because procps tries to access
@ -279,9 +279,9 @@ define(`domain_read_all_domains_process_state',`
 define(`domain_read_all_domains_process_state_depend',`
 	attribute domain;
-	class dir { getattr search read };
+	class dir r_dir_perms;
-	class lnk_file { getattr read };
+	class lnk_file r_file_perms;
-	class file { getattr read };
+	class file r_file_perms;
 	class process { getattr ptrace };
 ')
@ -436,7 +436,8 @@ define(`domain_ignore_get_all_domains_pipe_attributes_depend',`
 define(`domain_execute_all_entrypoint_programs',`
 	requires_block_template(`$0'_depend)
-	allow $1 entry_type:file { getattr read ioctl lock execute execute_no_trans };
+	can_exec($1,entry_type)
 ')
 define(`domain_execute_all_entrypoint_programs_depend',`
@ -452,7 +453,7 @@ define(`domain_execute_all_entrypoint_programs_depend',`
 define(`domain_read_all_entrypoint_programs',`
 	requires_block_template(`$0'_depend)
-	allow $1 entry_type:lnk_file { getattr read };
+	allow $1 entry_type:lnk_file r_file_perms;
 	allow $1 entry_type:file r_file_perms;
 ')
@ -460,7 +461,7 @@ define(`domain_read_all_entrypoint_programs_depend',`
 	attribute entry_type;
 	class file r_file_perms;
-	class lnk_file { getattr read };
+	class lnk_file r_file_perms;
 ')
 ## </module>
@ -478,13 +479,13 @@ define(`domain_read_all_entrypoint_programs_depend',`
 define(`domain_trans',`
 	requires_block_template(`$0'_depend)
-	allow $1 $2:file { getattr read execute };
+	allow $1 $2:file rx_file_perms;
 	allow $1 $3:process transition;
 	dontaudit $1 $3:process { noatsecure siginh rlimitinh };
 ')
 define(`domain_trans_depend',`
-	class file { getattr read execute };
+	class file rx_file_perms;
 	process { transition noatsecure siginh rlimitinh };
 ')
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@ -187,11 +187,11 @@ define(`files_relabel_all_files_depend',`
 define(`files_manage_all_files',`
 	requires_block_template(`$0'_depend)
-	allow $1 { file_type $2 }:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
+	allow $1 { file_type $2 }:dir create_dir_perms;
-	allow $1 { file_type $2 }:file { create ioctl read getattr lock write setattr append link unlink rename };
+	allow $1 { file_type $2 }:file create_file_perms;
-	allow $1 { file_type $2 }:lnk_file { create read getattr setattr link unlink rename };
+	allow $1 { file_type $2 }:lnk_file create_lnk_perms;
-	allow $1 { file_type $2 }:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
+	allow $1 { file_type $2 }:fifo_file create_file_perms;
-	allow $1 { file_type $2 }:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
+	allow $1 { file_type $2 }:sock_file create_file_perms;
 	# satisfy the assertions:
 	selinux_write_binary_policy($1)
@ -201,11 +201,11 @@ define(`files_manage_all_files',`
 define(`files_manage_all_files_depend',`
 	attribute file_type;
-	class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
+	class dir create_dir_perms;
-	class file { create ioctl read getattr lock write setattr append link unlink rename };
+	class file create_file_perms;
-	class lnk_file { create read getattr setattr link unlink rename };
+	class lnk_file create_lnk_perms;
-	class fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
+	class fifo_file create_file_perms;
-	class sock_file { create ioctl read getattr lock write setattr append link unlink rename };
+	class sock_file create_file_perms;
 ')
 ########################################
@ -328,14 +328,14 @@ define(`files_read_root_dir',`
 	requires_block_template(`$0'_depend)
 	allow $1 root_t:dir r_dir_perms;
-	allow $1 root_t:lnk_file { getattr read };
+	allow $1 root_t:lnk_file r_file_perms;
 ')
 define(`files_read_root_dir_depend',`
 	type root_t;
 	class dir r_dir_perms;
-	class lnk_file { getattr read };
+	class lnk_file r_file_perms;
 ')
 ########################################
@ -446,13 +446,13 @@ class dir rw_dir_perms;
 define(`files_remove_root_dir_entry',`
 	requires_block_template(`$0'_depend)
-	allow $1 root_t:dir { getattr search read write remove_name };
+	allow $1 root_t:dir rw_dir_perms;
 ')
 define(`files_remove_root_dir_entry_depend',`
 	type root_t;
-	class dir { getattr search read write remove_name };
+	class dir rw_dir_perms;
 ')
 ########################################
@ -494,33 +494,33 @@ define(`files_search_general_system_config_directory_depend',`
 define(`files_read_general_system_config_directory',`
 	requires_block_template(`$0'_depend)
-	allow $1 etc_t:dir { getattr search read };
+	allow $1 etc_t:dir r_dir_perms;
 ')
 define(`files_read_general_system_config_directory_depend',`
 	type etc_t;
-	class dir { getattr search read };
+	class dir r_dir_perms;
 ')
 ########################################
-#
+A#
 # files_read_general_system_config(domain)
 #
 define(`files_read_general_system_config',`
 	requires_block_template(`$0'_depend)
-	allow $1 etc_t:dir { getattr search read };
+	allow $1 etc_t:dir r_dir_perms;
-	allow $1 etc_t:file { getattr read ioctl };
+	allow $1 etc_t:file r_file_perms;
-	allow $1 etc_t:lnk_file { getattr read };
+	allow $1 etc_t:lnk_file r_file_perms;
 ')
 define(`files_read_general_system_config_depend',`
 	type etc_t;
-	class dir { getattr search read };
+	class dir r_dir_perms;
-	class file { getattr read };
+	class file r_file_perms;
-	class lnk_file { getattr read };
+	class lnk_file r_file_perms;
 ')
 ########################################
@ -530,17 +530,17 @@ define(`files_read_general_system_config_depend',`
 define(`files_modify_general_system_config',`
 	requires_block_template(`$0'_depend)
-	allow $1 etc_t:dir { getattr search read };
+	allow $1 etc_t:dir r_dir_perms;
-	allow $1 etc_t:file { getattr read write ioctl };
+	allow $1 etc_t:file rw_file_perms;
-	allow $1 etc_t:lnk_file { getattr read };
+	allow $1 etc_t:lnk_file r_file_perms;
 ')
 define(`files_modify_general_system_config_depend',`
 	type etc_t;
-	class dir { getattr search read };
+	class dir r_dir_perms;
-	class file { getattr read write ioctl };
+	class file rw_file_perms;
-	class lnk_file { getattr read };
+	class lnk_file r_file_perms;
 ')
 ########################################
@ -550,17 +550,17 @@ define(`files_modify_general_system_config_depend',`
 define(`files_manage_general_system_config',`
 	requires_block_template(`$0'_depend)
-	allow $1 etc_t:dir { read getattr lock search ioctl add_name remove_name write };
+	allow $1 etc_t:dir rw_dir_perms;
-	allow $1 etc_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+	allow $1 etc_t:file create_file_perms;
-	allow $1 etc_t:lnk_file { getattr read };
+	allow $1 etc_t:lnk_file r_file_perms;
 ')
 define(`files_manage_general_system_config_depend',`
 	type etc_t;
-	class dir { read getattr lock search ioctl add_name remove_name write };
+	class dir rw_dir_perms;
-	class file { create ioctl read getattr lock write setattr append link unlink rename };
+	class file create_file_perms;
-	class lnk_file { getattr read };
+	class lnk_file r_file_perms;
 ')
 ########################################
@ -577,14 +577,14 @@ define(`files_manage_general_system_config_depend',`
 define(`files_remove_general_system_config',`
 	requires_block_template(`$0'_depend)
-	allow $1 etc_t:dir { getattr search read write remove_name };
+	allow $1 etc_t:dir rw_dir_perms;
 	allow $1 etc_t:file unlink;
 ')
 define(`files_remove_general_system_config_depend',`
 	type etc_t;
-	class dir { getattr search read write remove_name };
+	class dir rw_dir_perms;
 	class file unlink;
 ')
@ -595,16 +595,17 @@ define(`files_remove_general_system_config_depend',`
 define(`files_execute_system_config_script',`
 	requires_block_template(`$0'_depend)
-	allow $1 etc_t:dir { getattr search read };
+	allow $1 etc_t:dir r_dir_perms;
-	allow $1 etc_t:lnk_file { getattr read };
+	allow $1 etc_t:lnk_file r_file_perms;
-	allow $1 etc_t:file { getattr read execute execute_no_trans };
+	can_exec($1,etc_t)
 ')
 define(`files_execute_system_config_script_depend',`
 	type etc_t;
-	class dir { getattr search read };
+	class dir r_dir_perms;
-	class lnk_file { getattr read };
+	class lnk_file r_file_perms;
 	class file { getattr read execute execute_no_trans };
 ')
@ -617,7 +618,7 @@ define(`files_execute_system_config_script_depend',`
 define(`files_create_boot_flag',`
 	requires_block_template(`$0'_depend)
-	allow $1 root_t:dir { getattr search read write add_name remove_name };
+	allow $1 root_t:dir rw_dir_perms;
 	allow $1 etc_runtime_t:file { create read write setattr unlink };
 	type_transition $1 root_t:file etc_runtime_t;
 ')
@ -625,8 +626,8 @@ define(`files_create_boot_flag',`
 define(`files_create_boot_flag_depend',`
 	type root_t, etc_runtime_t;
-	class dir { getattr search read write add_name };
+	class dir rw_dir_perms;
-	class file { create read write setattr };
+	class file { create read write setattr unlink};
 ')
 ########################################
@ -636,16 +637,16 @@ define(`files_create_boot_flag_depend',`
 define(`files_manage_runtime_system_config',`
 	requires_block_template(`$0'_depend)
-	allow $1 etc_t:dir { getattr search read write add_name remove_name };
+	allow $1 etc_t:dir rw_dir_perms;
-	allow $1 etc_runtime_t:file { getattr create read write append setattr rename link unlink lock };
+	allow $1 etc_runtime_t:file create_file_perms;
 	type_transition $1 etc_t:file etc_runtime_t;
 ')
 define(`files_manage_runtime_system_config_depend',`
 	type etc_t, etc_runtime_t;
-	class dir { getattr search read write add_name };
+	class dir rw_dir_perms;
-	class file { getattr create read write append setattr rename unlink unlink lock };
+	class file create_file_perms;
 ')
 ########################################
@ -655,15 +656,15 @@ define(`files_manage_runtime_system_config_depend',`
 define(`files_read_runtime_system_config',`
 	requires_block_template(`$0'_depend)
-	allow $1 etc_t:dir { getattr search read };
+	allow $1 etc_t:dir r_dir_perms;
-	allow $1 etc_runtime_t:file { getattr read };
+	allow $1 etc_runtime_t:file r_file_perms;
 ')
 define(`files_read_runtime_system_config_depend',`
 	type etc_t, etc_runtime_t;
-	class dir { getattr search read };
+	class dir r_dir_perms;
-	class file { getattr read };
+	class file r_file_perms;
 ')
 ########################################
@ -749,13 +750,13 @@ define(`files_ignore_search_isid_type_dir_depend',`
 define(`files_list_home_directories',`
 	requires_block_template(`$0'_depend)
-	allow $1 home_root_t:dir { getattr search read };
+	allow $1 home_root_t:dir r_dir_perms;
 ')
 define(`files_list_home_directories_depend',`
 	type home_root_t;
-	class dir { getattr search read };
+	class dir r_dir_perms;
 ')
 ########################################
@ -765,13 +766,13 @@ define(`files_list_home_directories_depend',`
 define(`files_read_mnt_dir',`
 	requires_block_template(`$0'_depend)
-	allow $1 mnt_t:dir { getattr search read };
+	allow $1 mnt_t:dir r_dir_perms;
 ')
 define(`files_read_runtime_system_config_depend',`
 	type mnt_t;
-	class dir { getattr search read };
+	class dir r_dir_perms;
 ')
 ########################################
@ -781,7 +782,7 @@ define(`files_read_runtime_system_config_depend',`
 define(`files_create_private_tmp_data',`
 	requires_block_template(`$0'_depend)
-	allow $1 tmp_t:dir { getattr search read write add_name remove_name };
+	allow $1 tmp_t:dir rw_dir_perms;
 	ifelse(`$3',`',`
 		type_transition $1 tmp_t:file $2;
@ -793,7 +794,7 @@ define(`files_create_private_tmp_data',`
 define(`files_create_private_tmp_data_depend',`
 	type tmp_t;
-	class dir { getattr search read write add_name };
+	class dir rw_dir_perms;
 ')
 ########################################
@ -843,16 +844,16 @@ define(`files_search_general_application_resources_dir_depend',`
 define(`files_read_general_application_resources',`
 	requires_block_template(`$0'_depend)
-	allow $1 usr_t:dir { getattr search read };
+	allow $1 usr_t:dir r_dir_perms;
-	allow $1 usr_t:{ file lnk_file } { getattr read };
+	allow $1 usr_t:{ file lnk_file } r_file_perms;
 ')
 define(`files_read_general_application_resources_depend',`
 	type usr_t;
-	class dir { getattr search read };
+	class dir r_dir_perms;
-	class file { getattr read };
+	class file r_file_perms;
-	class lnk_file { getattr read };
+	class lnk_file r_file_perms;
 ')
 ########################################
@ -870,17 +871,18 @@ define(`files_execute_system_source_code_scripts',`
 	requires_block_template(`$0'_depend)
 	allow $1 usr_t:dir search;
-	allow $1 src_t:dir { getattr search read };
+	allow $1 src_t:dir r_dir_perms;
-	allow $1 src_t:lnk_file { getattr read };
+	allow $1 src_t:lnk_file r_file_perms;
-	allow $1 src_t:file { getattr read execute execute_no_trans };
+	can_exec($1,src_t)
 ')
 define(`files_read_system_source_code_depend',`
 	type usr_t, src_t;
-	class dir { getattr search read };
+	class dir r_dir_perms;
 	class file { getattr read execute execute_no_trans };
-	class lnk_file { getattr read };
+	class lnk_file r_file_perms;
 ')
 ########################################
@ -891,16 +893,16 @@ define(`files_read_system_source_code',`
 	requires_block_template(`$0'_depend)
 	allow $1 usr_t:dir search;
-	allow $1 src_t:dir { getattr search read };
+	allow $1 src_t:dir r_dir_perms;
-	allow $1 src_t:{ file lnk_file } { getattr read };
+	allow $1 src_t:{ file lnk_file } r_file_perms;
 ')
 define(`files_read_system_source_code_depend',`
 	type usr_t, src_t;
-	class dir { getattr search read };
+	class dir r_dir_perms;
-	class file { getattr read };
+	class file r_file_perms;
-	class lnk_file { getattr read };
+	class lnk_file r_file_perms;
 ')
 ########################################
@ -943,14 +945,14 @@ define(`files_manage_pseudorandom_saved_seed',`
 	requires_block_template(`$0'_depend)
 	allow $1 var_t:dir search;
-	allow $1 var_lib_t:dir { getattr search read write add_name remove_name };
+	allow $1 var_lib_t:dir rw_file_perms;
 	allow $1 var_lib_t:file { getattr create read write setattr unlink };
 ')
 define(`files_manage_pseudorandom_saved_seed_depend',`
 	type var_t, var_lib_t;
-	class dir { getattr search read write add_name remove_name };
+	class dir rw_file_perms;
 	class file { getattr create read write setattr unlink };
 ')
@ -961,14 +963,14 @@ define(`files_manage_pseudorandom_saved_seed_depend',`
 define(`files_get_system_lock_file_attributes',`
 	requires_block_template(`$0'_depend)
-	allow $1 var_lock_t:dir { getattr search read };
+	allow $1 var_lock_t:dir r_dir_perms;
 	allow $1 var_lock_t:file getattr;
 ')
 define(`files_get_system_lock_file_attributes_depend',`
 	type var_lock_t;
-	class dir { getattr search read };
+	class dir r_dir_perms;
 	class file getattr;
 ')
@ -997,14 +999,14 @@ define(`files_manage_system_lock_files_depend',`
 define(`files_remove_all_lock_files',`
 	requires_block_template(`$0'_depend)
-	allow $1 lockfile:dir { getattr search read write add_name remove_name };
+	allow $1 lockfile:dir rw_file_perms;
 	allow $1 lockfile:file { getattr unlink };
 ')
 define(`files_remove_all_lock_files_depend',`
 	attribute lockfile;
-	class dir { getattr search read write add_name remove_name };
+	class dir rw_dir_perms;
 	class file { getattr unlink };
 ')
@ -1072,13 +1074,13 @@ define(`files_read_runtime_data_directory',`
 	requires_block_template(`$0'_depend)
 	allow $1 var_t:dir search;
-	allow $1 var_run_t:dir { getattr search read };
+	allow $1 var_run_t:dir r_dir_perms;
 ')
 define(`files_read_runtime_data_directory_depend',`
 	type var_t, var_run_t;
-	class dir { getattr search read };
+	class dir r_dir_perms;
 ')
 ########################################
@ -1112,15 +1114,15 @@ define(`files_modify_system_runtime_data',`
 	requires_block_template(`$0'_depend)
 	allow $1 var_t:dir search;
-	allow $1 var_run_t:dir { getattr search read };
+	allow $1 var_run_t:dir r_dir_perms;
-	allow $1 var_run_t:file { getattr read write };
+	allow $1 var_run_t:file rw_file_perms;
 ')
 define(`files_modify_system_runtime_data_depend',`
 	type var_t, var_run_t;
-	class dir { getattr search read };
+	class dir r_dir_perms;
-	class file { getattr read write };
+	class file rw_file_perms;
 ')
 ########################################
@ -1242,13 +1244,13 @@ define(`files_read_system_spool_directory',`
 	requires_block_template(`$0'_depend)
 	allow $1 var_t:dir search;
-	allow $1 var_spool_t:dir { getattr search read };
+	allow $1 var_spool_t:dir r_dir_perms;
 ')
 define(`files_read_system_spool_directory_depend',`
 	type var_t, var_spool_t;
-	class dir { getattr search read };
+	class dir r_dir_perms;
 ')
 ########################################
@ -1259,15 +1261,15 @@ define(`files_read_system_spools',`
 	requires_block_template(`$0'_depend)
 	allow $1 var_t:dir search;
-	allow $1 var_spool_t:dir { getattr search read };
+	allow $1 var_spool_t:dir r_dir_perms;
-	allow $1 var_spool_t:file { getattr read };
+	allow $1 var_spool_t:file r_file_perms;
 ')
 define(`files_read_system_spools_depend',`
 	type var_t, var_spool_t;
-	class dir { getattr search read };
+	class dir r_dir_perms;
-	class file { getattr read };
+	class file r_file_perms;
 ')
 ########################################
@ -1278,14 +1280,14 @@ define(`files_manage_system_spools',`
 	requires_block_template(`$0'_depend)
 	allow $1 var_t:dir search;
-	allow $1 var_spool_t:dir { getattr search read write add_name remove_name };
+	allow $1 var_spool_t:dir rw_file_perms;
 	allow $1 var_spool_t:file { getattr create read write append unlink setattr };
 ')
 define(`files_manage_system_spools_depend',`
 	type var_t, var_spool_t;
-	class dir { getattr search read write add_name remove_name };
+	class dir rw_file_perms;
 	class file { getattr create read write append unlink setattr };
 ')
--- a/refpolicy/policy/modules/system/getty.te
+++ b/refpolicy/policy/modules/system/getty.te
@ -32,8 +32,8 @@ allow getty_t self:capability { dac_override chown sys_resource sys_tty_config }
 allow getty_t self:process { getpgid getsession };
-allow getty_t getty_etc_t:dir { getattr search read };
+allow getty_t getty_etc_t:dir r_dir_perms;
-allow getty_t getty_etc_t:file { getattr read };
+allow getty_t getty_etc_t:file r_file_perms;
 files_create_private_config(getty_t,getty_etc_t,{ file dir })
 allow getty_t getty_tmp_t:file { getattr create read setattr write setattr unlink };
--- a/refpolicy/policy/modules/system/hostname.if
+++ b/refpolicy/policy/modules/system/hostname.if
@ -16,7 +16,7 @@
 define(`hostname_transition',`
 	requires_block_template(`$0'_depend)
-	allow $1 hostname_exec_t:file { getattr read execute };
+	allow $1 hostname_exec_t:file rx_file_perms;
 	allow $1 hostname_t:process transition;
 	type_transition $1 hostname_exec_t:process hostname_t;
 	dontaudit $1 hostname_t:process { noatsecure siginh rlimitinh };
@ -30,7 +30,7 @@ define(`hostname_transition',`
 define(`hostname_transition_depend',`
 	type hostname_t, hostname_exec_t;
-	class file { getattr read execute };
+	class file rx_file_perms;
 	class process { transition noatsecure siginh rlimitinh sigchld };
 	class fd use;
 	class fifo_file rw_file_perms;
@ -88,7 +88,8 @@ define(`hostname_transition_add_role_use_terminal_depend',`
 define(`hostname_execute',`
 	requires_block_template(`$0'_depend)
-	allow $1 hostname_exec_t:file { getattr read execute execute_no_trans };
+	can_exec($1,hostname_exec_t)
 ')
 define(`hostname_execute_depend',`
--- a/refpolicy/policy/modules/system/hostname.te
+++ b/refpolicy/policy/modules/system/hostname.te
@ -65,7 +65,7 @@ ifdef(`targeted_policy', `
 ')
 tunable_policy(`use_dns',`
-	allow hostname_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
+	allow hostname_t self:udp_socket create_socket_perms;
 	corenetwork_sendrecv_udp_on_all_interfaces(hostname_t)
 	corenetwork_sendrecv_raw_on_all_interfaces(hostname_t)
 	corenetwork_sendrecv_udp_on_all_nodes(hostname_t)
--- a/refpolicy/policy/modules/system/hotplug.if
+++ b/refpolicy/policy/modules/system/hotplug.if
@ -11,7 +11,7 @@
 define(`hotplug_transition',`
 	requires_block_template(`$0'_depend)
-	allow $1 hotplug_exec_t:file { getattr read execute };
+	allow $1 hotplug_exec_t:file rx_file_perms;
 	allow $1 hotplug_t:process transition;
 	type_transition $1 hotplug_exec_t:process hotplug_t;
 	dontaudit $1 hotplug_t:process { noatsecure siginh rlimitinh };
@ -25,7 +25,7 @@ define(`hotplug_transition',`
 define(`hotplug_transition_depend',`
 	type hotplug_t, hotplug_exec_t;
-	class file { getattr read execute };
+	class file rx_file_perms;
 	class process { transition noatsecure siginh rlimitinh sigchld };
 	class fd use;
 	class fifo_file rw_file_perms;
@ -38,7 +38,8 @@ define(`hotplug_transition_depend',`
 define(`hotplug_execute',`
 	requires_block_template(`$0'_depend)
-	allow $1 hotplug_exec_t:file { getattr read execute execute_no_trans };
+	can_exec($1,hotplug_exec_t)
 ')
 define(`hotplug_execute_depend',`
@ -110,17 +111,17 @@ define(`hotplug_read_config',`
 	requires_block_template(`$0'_depend)
 	files_search_general_system_config_directory($1)
-	allow $1 hotplug_etc_t:file { read getattr lock ioctl };
+	allow $1 hotplug_etc_t:file r_file_perms;
-	allow $1 hotplug_etc_t:dir { read getattr lock search ioctl };
+	allow $1 hotplug_etc_t:dir r_dir_perms;
-	allow $1 hotplug_etc_t:lnk_file { getattr read };
+	allow $1 hotplug_etc_t:lnk_file r_file_perms;
 ')
 define(`hotplug_read_config_depend',`
 	type hotplug_etc_t;
-	class file { read getattr lock ioctl };
+	class file r_file_perms;
-	class dir { read getattr lock search ioctl };
+	class dir r_dir_perms;
-	class lnk_file { getattr read };
+	class lnk_file r_file_perms;
 ')
 ## </module>
--- a/refpolicy/policy/modules/system/hotplug.te
+++ b/refpolicy/policy/modules/system/hotplug.te
@ -29,13 +29,13 @@ dontaudit hotplug_t self:capability { dac_override dac_read_search };
 allow hotplug_t self:process { getsession getattr };
-allow hotplug_t self:fifo_file { read write getattr ioctl };
+allow hotplug_t self:fifo_file r_file_perms;
-allow hotplug_t self:udp_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
+allow hotplug_t self:udp_socket create_socket_perms;
-allow hotplug_t self:tcp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown listen accept };
+allow hotplug_t self:tcp_socket connected_stream_socket_perms;
-allow hotplug_t hotplug_etc_t:file { read getattr lock ioctl };
+allow hotplug_t hotplug_etc_t:file r_file_perms;
-allow hotplug_t hotplug_etc_t:dir { read getattr lock search ioctl };
+allow hotplug_t hotplug_etc_t:dir r_dir_perms;
-allow hotplug_t hotplug_etc_t:lnk_file { getattr read };
+allow hotplug_t hotplug_etc_t:lnk_file r_file_perms;
 allow hotplug_t hotplug_exec_t:file { getattr read ioctl execute execute_no_trans };
 allow hotplug_t hotplug_etc_t:file { getattr read execute execute_no_trans };
--- a/refpolicy/policy/modules/system/init.if
+++ b/refpolicy/policy/modules/system/init.if
@ -14,7 +14,7 @@ define(`init_make_init_domain',`
 	role system_r types $1;
 	allow init_t $1:process transition;
-	allow init_t $2:file { getattr read execute };
+	allow init_t $2:file rx_file_perms;
 	dontaudit init_t $1:process { noatsecure siginh rlimitinh };
 	type_transition init_t $2:process $1;
@ -33,7 +33,7 @@ define(`init_make_init_domain',`
 define(`init_make_init_domain_depend',`
 	type init_t;
-	class file { getattr read execute };
+	class file rx_file_perms;
 	class fd use;
 	class fifo_file rw_file_perms;
 	class process { transition noatsecure siginh rlimitinh sigchld };
@ -53,7 +53,7 @@ define(`init_make_daemon_domain',`
 	role system_r types $1;
 	allow initrc_t $1:process transition;
-	allow initrc_t $2:file { getattr read execute };
+	allow initrc_t $2:file rx_file_perms;
 	dontaudit initrc_t $1:process { noatsecure siginh rlimitinh };
 	type_transition initrc_t $2:process $1;
@ -75,7 +75,7 @@ define(`init_make_daemon_domain_depend',`
 	role system_r;
-	class file { getattr read execute };
+	class file rx_file_perms;
 	class fifo_file rw_file_perms;
 	class fd use;
 	class process { transition noatsecure siginh rlimitinh sigchld };
@ -94,7 +94,7 @@ define(`init_make_system_domain',`
 	role system_r types $1;
 	allow initrc_t $1:process transition;
-	allow initrc_t $2:file { getattr read execute };
+	allow initrc_t $2:file rx_file_perms;
 	dontaudit initrc_t $1:process { noatsecure siginh rlimitinh };
 	type_transition initrc_t $2:process $1;
@ -115,7 +115,7 @@ define(`init_make_system_domain_depend',`
 	type initrc_t;
 	role system_r;
-	class file { getattr read execute };
+	class file rx_file_perms;
 	class fd use;
 	class fifo_file rw_file_perms;
 	class process { transition noatsecure siginh rlimitinh sigchld };
@ -128,7 +128,7 @@ define(`init_make_system_domain_depend',`
 define(`init_transition',`
 	requires_block_template(`$0'_depend)
-	allow $1 init_exec_t:file { getattr read execute };
+	allow $1 init_exec_t:file rx_file_perms;
 	allow $1 init_t:process transition;
 	type_transition $1 init_exec_t:process init_t;
 	dontaudit $1 init_t:process { noatsecure siginh rlimitinh };
@ -142,7 +142,7 @@ define(`init_transition',`
 define(`init_transition_depend',`
 	type init_t, init_exec_t;
-	class file { getattr read execute };
+	class file rx_file_perms;
 	class process { transition noatsecure siginh rlimitinh sigchld };
 	class fd use;
 	class fifo_file rw_file_perms;
@ -204,13 +204,13 @@ define(`init_use_control_channel',`
 	requires_block_template(`$0'_depend)
 	devices_list_device_nodes($1)
-	allow $1 initctl_t:fifo_file { getattr read write };
+	allow $1 initctl_t:fifo_file rw_file_perms;
 ')
 define(`init_use_control_channel_depend',`
 	type initctl_t;
-	class fifo_file { getattr read write };
+	class fifo_file rw_file_perms;
 ')
 ########################################
@ -284,7 +284,7 @@ define(`init_ignore_use_file_descriptors_depend',`
 define(`init_script_transition',`
 	requires_block_template(`$0'_depend)
-	allow $1 initrc_exec_t:file { getattr read execute };
+	allow $1 initrc_exec_t:file rx_file_perms;
 	allow $1 initrc_t:process transition;
 	type_transition $1 initrc_exec_t:process init_t;
 	dontaudit $1 init_t:process { noatsecure siginh rlimitinh };
@ -298,7 +298,7 @@ define(`init_script_transition',`
 define(`init_script_transition_depend',`
 	type initrc_t, initrc_exec_t;
-	class file { getattr read execute };
+	class file rx_file_perms;
 	class process { transition noatsecure siginh rlimitinh sigchld };
 	class fd use;
 	class fifo_file rw_file_perms;
@ -311,7 +311,8 @@ define(`init_script_transition_depend',`
 define(`init_script_execute',`
 	requires_block_template(`$0'_depend)
-	allow $1 initrc_exec_t:file { getattr read execute execute_no_trans };
+	can_exec($1,initrc_exec_t)
 ')
 define(`init_script_execute_depend',`
@ -334,8 +335,8 @@ define(`init_script_execute_depend',`
 define(`init_script_read_process_state',`
 	requires_block_template(`$0'_depend)
-	allow $1 initrc_t:dir { search getattr read };
+	allow $1 initrc_t:dir r_dir_perms;
-	allow $1 initrc_t:{ file lnk_file } { read getattr };
+	allow $1 initrc_t:{ file lnk_file } r_file_perms;
 	allow $1 initrc_t:process getattr;
 	# We need to suppress this denial because procps tries to access
@ -348,9 +349,9 @@ define(`init_script_read_process_state',`
 define(`init_script_read_process_state_depend',`
 	type initrc_t;
-	class dir { search getattr read };
+	class dir r_dir_perms;
-	class file { read getattr };
+	class file r_file_perms;
-	class lnk_file { read getattr };
+	class lnk_file r_file_perms;
 	class process { getattr ptrace };
 ')
@ -426,7 +427,7 @@ define(`init_script_use_pseudoterminal_depend',`
 define(`init_script_ignore_use_pseudoterminal',`
 	requires_block_template(`$0'_depend)
-	allow $1 initrc_devpts_t:chr_file { read write ioctl };
+	dontaudit $1 initrc_devpts_t:chr_file { read write ioctl };
 ')
 define(`init_script_ignore_use_pseudoterminal_depend',`
@ -450,13 +451,13 @@ define(`init_script_modify_temporary_data',`
 	requires_block_template(`$0'_depend)
 	# FIXME: read tmp_t
-	allow $1 initrc_tmp_t:file { getattr read write };
+	allow $1 initrc_tmp_t:file rw_file_perms;
 ')
 define(`init_script_modify_temporary_data_depend',`
 	type initrc_var_run_t;
-	class file { getattr read write };
+	class file rw_file_perms;
 ')
 ########################################
@ -467,13 +468,13 @@ define(`init_script_read_runtime_data',`
 	requires_block_template(`$0'_depend)
 	files_read_runtime_data_directory($1)
-	allow $1 initrc_var_run_t:file { getattr read lock };
+	allow $1 initrc_var_run_t:file r_file_perms;
 ')
 define(`init_script_read_runtime_data_depend',`
 	type initrc_var_run_t;
-	class file { getattr read lock };
+	class file r_file_perms;
 ')
 ########################################
@ -500,13 +501,13 @@ define(`init_script_modify_runtime_data',`
 	requires_block_template(`$0'_depend)
 	files_read_runtime_data_directory($1)
-	allow $1 initrc_var_run_t:file { getattr read write append lock };
+	allow $1 initrc_var_run_t:file rw_file_perms;
 ')
 define(`init_script_modify_runtime_data_depend',`
 	type initrc_var_run_t;
-	class file { getattr read write append lock };
+	class file rw_file_perms;
 ')
 ########################################
@ -522,7 +523,7 @@ define(`init_script_ignore_modify_runtime_data',`
 define(`init_script_ignore_modify_runtime_data_depend',`
 	type initrc_var_run_t;
-	class file { getattr read write append };
+	class file rw_file_perms;
 ')
 ## </module>
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@ -69,7 +69,7 @@ allow init_t self:capability ~sys_module;
 # setuid (from /sbin/shutdown)
 # sys_chroot (from /usr/bin/chroot): now provided by corecommands_chroot()
-allow init_t self:fifo_file { read write ioctl };
+allow init_t self:fifo_file rw_file_perms;
 # Re-exec itself
 allow init_t init_exec_t:file { getattr read ioctl execute execute_no_trans };
@ -83,12 +83,12 @@ fs_tmpfs_associate(initctl_t)
 devices_create_dev_entry(init_t,initctl_t,fifo_file)
 # Modify utmp.
-allow init_t initrc_var_run_t:file { getattr read write setattr lock };
+allow init_t initrc_var_run_t:file rw_file_perms;
 # Run init scripts.  this is ok since initrc
 # is also in this module
 allow init_t initrc_t:process transition;
-allow init_t initrc_exec_t:file { getattr read execute };
+allow init_t initrc_exec_t:file rx_file_perms;
 type_transition init_t initrc_exec_t:process initrc_t;
 dontaudit init_t initrc_t:process { noatsecure siginh rlimitinh };
@ -163,26 +163,26 @@ allow initrc_t self:capability ~{ sys_admin sys_module };
 allow initrc_t self:passwd rootok;
 # Allow IPC with self
-allow initrc_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
+allow initrc_t self:unix_dgram_socket create_socket_perms;
 allow initrc_t self:unix_stream_socket { create listen accept ioctl read getattr write setattr append bind connect getopt setopt shutdown connectto };
-allow initrc_t self:tcp_socket { connect listen accept create ioctl read getattr write setattr append bind getopt setopt shutdown };
+allow initrc_t self:tcp_socket create_stream_socket_perms;
-allow initrc_t self:udp_socket { connect create ioctl read getattr write setattr append bind getopt setopt shutdown };
+allow initrc_t self:udp_socket create_socket_perms;
-allow initrc_t self:fifo_file { getattr read write ioctl };
+allow initrc_t self:fifo_file rw_file_perms;
-allow initrc_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read };
+allow initrc_t self:netlink_route_socket r_netlink_socket_perms;
 allow initrc_t init_t:fd use;
 allow initrc_t initrc_exec_t:file { getattr read ioctl execute execute_no_trans };
-allow initrc_t initrc_state_t:dir { create read getattr lock setattr ioctl unlink rename search add_name remove_name reparent write rmdir };
+allow initrc_t initrc_state_t:dir create_dir_perms;
-allow initrc_t initrc_state_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+allow initrc_t initrc_state_t:file create_file_perms;
 allow initrc_t initrc_state_t:lnk_file { create read getattr setattr unlink rename };
-allow initrc_t initrc_var_run_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+allow initrc_t initrc_var_run_t:file create_file_perms;
 files_create_daemon_runtime_data(initrc_t,initrc_var_run_t)
-allow initrc_t initrc_tmp_t : file { create ioctl read getattr lock write setattr append link unlink rename };
+allow initrc_t initrc_tmp_t:file create_file_perms;
-allow initrc_t initrc_tmp_t : dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
+allow initrc_t initrc_tmp_t:dir create_dir_perms;
 files_create_private_tmp_data(initrc_t,initrc_tmp_t, { file dir })
 kernel_read_system_state(initrc_t)
@ -389,7 +389,7 @@ allow initrc_t xconsole_device_t:fifo_file setattr;
 # for lsof in shutdown scripts
 can_kerberos(initrc_t)
 dontaudit initrc_t krb5_conf_t:file write;
-allow initrc_t krb5_conf_t:file { getattr read };
+allow initrc_t krb5_conf_t:file r_file_perms;
 #
 #  These rules are here to allow init scripts to su
@ -409,7 +409,7 @@ ifdef(`distro_debian', `
 ifdef(`distro_redhat', `
 	# readahead asks for these
-	allow initrc_t var_lib_nfs_t:file { getattr read };
+	allow initrc_t var_lib_nfs_t:file r_file_perms;
 ')
 ifdef(`targeted_policy', `
--- a/refpolicy/policy/modules/system/iptables.if
+++ b/refpolicy/policy/modules/system/iptables.if
@ -15,7 +15,7 @@
 define(`iptables_transition',`
 	requires_block_template(`$0'_depend)
-	allow $1 iptables_exec_t:file { getattr read execute };
+	allow $1 iptables_exec_t:file rx_file_perms;
 	allow $1 iptables_t:process transition;
 	type_transition $1 iptables_exec_t:process iptables_t;
 	dontaudit $1 iptables_t:process { noatsecure siginh rlimitinh };
@ -29,7 +29,7 @@ define(`iptables_transition',`
 define(`iptables_transition_depend',`
 	type iptables_t, iptables_exec_t;
-	class file { getattr read execute };
+	class file rx_file_perms;
 	class process { transition noatsecure siginh rlimitinh sigchld };
 	class fd use;
 	class fifo_file rw_file_perms;
@ -81,7 +81,8 @@ define(`iptables_transition_add_role_use_terminal_depend',`
 define(`iptables_execute',`
 	requires_block_template(`$0'_depend)
-	allow $1 iptables_exec_t:file { getattr read execute execute_no_trans };
+	can_exec($1,iptables_exec_t)
 ')
 define(`iptables_execute_depend',`
--- a/refpolicy/policy/modules/system/iptables.te
+++ b/refpolicy/policy/modules/system/iptables.te
@ -26,16 +26,16 @@ allow iptables_t self:capability { net_admin net_raw };
 dontaudit iptables_t self:capability sys_tty_config;
 allow iptables_t self:process { sigchld sigkill sigstop signull signal };
-allow iptables_t iptables_var_run_t:dir { ioctl read getattr lock write append };
+allow iptables_t iptables_var_run_t:dir rw_dir_perms;
 files_create_daemon_runtime_data(iptables_t,iptables_var_run_t)
-allow iptables_t iptables_exec_t:file { getattr read execute execute_no_trans };
+can_exec(iptables_t,iptables_exec_t)
-allow iptables_t iptables_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
+allow iptables_t iptables_tmp_t:dir create_dir_perms;
-allow iptables_t iptables_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+allow iptables_t iptables_tmp_t:file create_file_perms;
 files_create_private_tmp_data(iptables_t, iptables_tmp_t, { file dir })
-allow iptables_t self:rawip_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
+allow iptables_t self:rawip_socket create_socket_perms;
 kernel_read_system_state(iptables_t)
 kernel_read_network_state(iptables_t)
@ -71,7 +71,7 @@ sysnetwork_ifconfig_transition(iptables_t)
 userdomain_use_all_users_file_descriptors(iptables_t)
 tunable_policy(`use_dns',`
-	allow iptables_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
+	allow iptables_t self:udp_socket create_socket_perms;
 	corenetwork_sendrecv_udp_on_all_interfaces(iptables_t)
 	corenetwork_sendrecv_raw_on_all_interfaces(iptables_t)
@ -108,7 +108,7 @@ ifdef(`TODO',`
 optional_policy(`rhgb.te', `
 allow iptables_t rhgb_t:process sigchld;
 allow iptables_t rhgb_t:fd use;
-allow iptables_t rhgb_t:fifo_file { read write };
+allow iptables_t rhgb_t:fifo_file rw_file_perms;
 ')
 allow iptables_t autofs_t:dir { search getattr };
--- a/refpolicy/policy/modules/system/libraries.if
+++ b/refpolicy/policy/modules/system/libraries.if
@ -15,7 +15,7 @@
 define(`libraries_ldconfig_transition',`
 	requires_block_template(`$0'_depend)
-	allow $1 ldconfig_exec_t:file { getattr read execute };
+	allow $1 ldconfig_exec_t:file rx_file_perms;
 	allow $1 ldconfig_t:process transition;
 	type_transition $1 ldconfig_exec_t:process ldconfig_t;
 	dontaudit $1 ldconfig_t:process { noatsecure siginh rlimitinh };
@ -29,7 +29,7 @@ define(`libraries_ldconfig_transition',`
 define(`libraries_ldconfig_transition_depend',`
 	type ldconfig_t, ldconfig_exec_t;
-	class file { getattr read execute };
+	class file rx_file_perms;
 	class process { transition noatsecure siginh rlimitinh sigchld };
 	class fd use;
 	class fifo_file rw_file_perms;
@ -172,13 +172,13 @@ define(`libraries_modify_dynamic_loader_cache',`
 	requires_block_template(`$0'_depend)
 	files_read_general_system_config_directory($1)
-	allow $1 ld_so_cache_t:file { getattr read write };
+	allow $1 ld_so_cache_t:file rw_file_perms;
 ')
 define(`libraries_modify_dynamic_loader_cache_depend',`
 	type ld_so_cache_t;
-	class file { getattr read write };
+	class file rw_file_perms;
 ')
 ########################################
@ -196,16 +196,16 @@ define(`libraries_modify_dynamic_loader_cache_depend',`
 define(`libraries_read_library_resources',`
 	requires_block_template(`$0'_depend)
-	allow $1 lib_t:dir { getattr read search };
+	allow $1 lib_t:dir r_dir_perms;
-	allow $1 lib_t:{ file lnk_file } { getattr read };
+	allow $1 lib_t:{ file lnk_file } r_file_perms;
 ')
 define(`libraries_read_library_resources_depend',`
 	type lib_t;
-	class dir { getattr read search };
+	class dir r_dir_perms;
-	class lnk_file { getattr read };
+	class lnk_file r_file_perms;
-	class file { getattr read };
+	class file r_file_perms;
 ')
 ########################################
@ -222,16 +222,16 @@ define(`libraries_read_library_resources_depend',`
 define(`libraries_execute_library_scripts',`
 	requires_block_template(`$0'_depend)
-	allow $1 lib_t:dir { getattr read search };
+	allow $1 lib_t:dir r_dir_perms;
-	allow $1 lib_t:lnk_file { getattr read };
+	allow $1 lib_t:lnk_file r_file_perms
 	allow $1 lib_t:file { getattr read execute execute_no_trans };
 ')
 define(`libraries_execute_library_scripts_depend',`
 	type lib_t;
-	class dir { getattr read search };
+	class dir r_dir_perms;
-	class lnk_file { getattr read };
+	class lnk_file r_file_perms;
 	class file { getattr read execute execute_no_trans };
 ')
--- a/refpolicy/policy/modules/system/libraries.te
+++ b/refpolicy/policy/modules/system/libraries.te
@ -47,16 +47,16 @@ type ldconfig_exec_t;
 init_make_system_domain(ldconfig_t,ldconfig_exec_t)
 role system_r types ldconfig_t;
-allow ldconfig_t ld_so_cache_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+allow ldconfig_t ld_so_cache_t:file create_file_perms;
 files_create_private_config(ldconfig_t,ld_so_cache_t,file)
-allow ldconfig_t lib_t:dir { getattr search read write add_name remove_name };
+allow ldconfig_t lib_t:dir rw_dir_perms;
 allow ldconfig_t lib_t:lnk_file { getattr create read unlink };
-allow ldconfig_t ld_so_t:lnk_file { getattr read };
+allow ldconfig_t ld_so_t:lnk_file r_file_perms;
-allow ldconfig_t ld_so_t:file { getattr read execute };
+allow ldconfig_t ld_so_t:file rx_file_perms;
-allow ldconfig_t ld_so_cache_t:file { getattr read };
+allow ldconfig_t ld_so_cache_t:file r_file_perms;
-allow ldconfig_t { shlib_t texrel_shlib_t }:lnk_file { getattr read };
+allow ldconfig_t { shlib_t texrel_shlib_t }:lnk_file r_file_perms;
-allow ldconfig_t { shlib_t texrel_shlib_t }:file { getattr read execute };
+allow ldconfig_t { shlib_t texrel_shlib_t }:file rx_file_perms;
 kernel_read_system_state(ldconfig_t)