Deprecate some old file and dir permission set macros in favor of the newer, more consistently-named macros.

Changelog

@@ -1,3 +1,5 @@
+- Deprecate some old file and dir permission set macros in favor of the
+  newer, more consistently-named macros.
 - Patch to clean up unescaped periods in several file context entries from
   Jan-Frode Myklebust.
 - Merge shlib_t into lib_t.

doc/example.te

@@ -22,7 +22,7 @@ files_tmp_file(myapp_tmp_t)
 # Myapp local policy
 #
 
-allow myapp_t myapp_log_t:file ra_file_perms;
+allow myapp_t myapp_log_t:file { read_file_perms append_file_perms };
 
 allow myapp_t myapp_tmp_t:file manage_file_perms;
 files_tmp_filetrans(myapp_t,myapp_tmp_t,file)

policy/modules/admin/dpkg.te

@@ -214,7 +214,7 @@ optional_policy(`
 allow dpkg_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill };
 allow dpkg_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow dpkg_script_t self:fd use;
-allow dpkg_script_t self:fifo_file rw_file_perms;
+allow dpkg_script_t self:fifo_file rw_fifo_file_perms;
 allow dpkg_script_t self:unix_dgram_socket create_socket_perms;
 allow dpkg_script_t self:unix_stream_socket rw_stream_socket_perms;
 allow dpkg_script_t self:unix_dgram_socket sendto;
@@ -224,7 +224,7 @@ allow dpkg_script_t self:sem create_sem_perms;
 allow dpkg_script_t self:msgq create_msgq_perms;
 allow dpkg_script_t self:msg { send receive };
 
-allow dpkg_script_t dpkg_tmp_t:file r_file_perms;
+allow dpkg_script_t dpkg_tmp_t:file read_file_perms;
 
 allow dpkg_script_t dpkg_script_tmp_t:dir { manage_dir_perms mounton };
 allow dpkg_script_t dpkg_script_tmp_t:file manage_file_perms;
@@ -232,9 +232,9 @@ files_tmp_filetrans(dpkg_script_t, dpkg_script_tmp_t, { file dir })
 
 allow dpkg_script_t dpkg_script_tmpfs_t:dir manage_dir_perms;
 allow dpkg_script_t dpkg_script_tmpfs_t:file manage_file_perms;
-allow dpkg_script_t dpkg_script_tmpfs_t:lnk_file create_lnk_perms;
-allow dpkg_script_t dpkg_script_tmpfs_t:sock_file manage_file_perms;
-allow dpkg_script_t dpkg_script_tmpfs_t:fifo_file manage_file_perms;
+allow dpkg_script_t dpkg_script_tmpfs_t:lnk_file manage_lnk_file_perms;
+allow dpkg_script_t dpkg_script_tmpfs_t:sock_file manage_sock_file_perms;
+allow dpkg_script_t dpkg_script_tmpfs_t:fifo_file manage_fifo_file_perms;
 fs_tmpfs_filetrans(dpkg_script_t,dpkg_script_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
 
 kernel_read_kernel_sysctls(dpkg_script_t)

policy/modules/admin/kudzu.te

@@ -165,5 +165,5 @@ optional_policy(`
 	role system_r types sysadm_userhelper_t;
 	domain_auto_trans(kudzu_t, userhelper_exec_t, sysadm_userhelper_t)
 ')
-allow kudzu_t cupsd_rw_etc_t:dir r_dir_perms;
+allow kudzu_t cupsd_rw_etc_t:dir list_dir_perms;
 ')

policy/modules/admin/logrotate.te

@@ -183,15 +183,3 @@ optional_policy(`
 	# cjp: why?
 	squid_domtrans(logrotate_t)
 ')
-
-ifdef(`TODO',`
-# it should not require this
-allow logrotate_t {staff_home_dir_t sysadm_home_dir_t}:dir { getattr read search };
-
-# for /var/backups on Debian
-ifdef(`backup.te', `
-rw_dir_create_file(logrotate_t, backup_store_t)
-')
-
-allow logrotate_t syslogd_exec_t:file r_file_perms;
-') dnl end TODO

policy/modules/admin/portage.if

@@ -24,7 +24,7 @@ interface(`portage_domtrans',`
 	# constraining domain
 	domain_trans($1,portage_exec_t,portage_t)
 	allow portage_t $1:fd use;
-	allow portage_t $1:fifo_file rw_file_perms;
+	allow portage_t $1:fifo_file rw_fifo_file_perms;
 	allow portage_t $1:process sigchld;
 
 	# transition to portage
@@ -346,7 +346,8 @@ interface(`portage_main_domain',`
 	# seems to work ok without these
 	dontaudit portage_t device_t:{ blk_file chr_file } getattr;
 	dontaudit portage_t proc_t:dir setattr;
-	dontaudit portage_t device_type:{ chr_file blk_file } r_file_perms;
+	dontaudit portage_t device_type:chr_file read_chr_file_perms;
+	dontaudit portage_t device_type:blk_file read_blk_file_perms;
 	')
 ')
 

policy/modules/apps/evolution.if

@@ -118,7 +118,7 @@ template(`evolution_per_role_template',`
 
 	allow $1_evolution_t $1_evolution_home_t:dir manage_dir_perms;
 	allow $1_evolution_t $1_evolution_home_t:file manage_file_perms;
-	allow $1_evolution_t $1_evolution_home_t:lnk_file create_lnk_perms;
+	allow $1_evolution_t $1_evolution_home_t:lnk_file manage_lnk_file_perms;
 
 	allow $1_evolution_t $1_evolution_orbit_tmp_t:dir manage_dir_perms;
 	allow $1_evolution_t $1_evolution_orbit_tmp_t:file manage_file_perms;
@@ -138,9 +138,9 @@ template(`evolution_per_role_template',`
 
 	allow $1_evolution_t $1_evolution_tmpfs_t:dir rw_dir_perms;
 	allow $1_evolution_t $1_evolution_tmpfs_t:file manage_file_perms;
-	allow $1_evolution_t $1_evolution_tmpfs_t:lnk_file create_lnk_perms;
-	allow $1_evolution_t $1_evolution_tmpfs_t:sock_file manage_file_perms;
-	allow $1_evolution_t $1_evolution_tmpfs_t:fifo_file manage_file_perms;
+	allow $1_evolution_t $1_evolution_tmpfs_t:lnk_file manage_lnk_file_perms;
+	allow $1_evolution_t $1_evolution_tmpfs_t:sock_file manage_sock_file_perms;
+	allow $1_evolution_t $1_evolution_tmpfs_t:fifo_file manage_fifo_file_perms;
 	fs_tmpfs_filetrans($1_evolution_t,$1_evolution_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
 
 	allow $1_evolution_t $2:dir search;
@@ -161,7 +161,7 @@ template(`evolution_per_role_template',`
 	# Access .evolution
 	allow $2 $1_evolution_home_t:dir manage_dir_perms;
 	allow $2 $1_evolution_home_t:file manage_file_perms;
-	allow $2 $1_evolution_home_t:lnk_file create_lnk_perms;
+	allow $2 $1_evolution_home_t:lnk_file manage_lnk_file_perms;
 	allow $2 $1_evolution_home_t:{ dir file lnk_file } { relabelfrom relabelto };
 	userdom_search_user_home_dirs($1,$1_evolution_t)
 
@@ -477,9 +477,9 @@ template(`evolution_per_role_template',`
 
 	allow $1_evolution_alarm_t $1_evolution_alarm_tmpfs_t:dir rw_dir_perms;
 	allow $1_evolution_alarm_t $1_evolution_alarm_tmpfs_t:file manage_file_perms;
-	allow $1_evolution_alarm_t $1_evolution_alarm_tmpfs_t:lnk_file create_lnk_perms;
-	allow $1_evolution_alarm_t $1_evolution_alarm_tmpfs_t:sock_file manage_file_perms;
-	allow $1_evolution_alarm_t $1_evolution_alarm_tmpfs_t:fifo_file manage_file_perms;
+	allow $1_evolution_alarm_t $1_evolution_alarm_tmpfs_t:lnk_file manage_lnk_file_perms;
+	allow $1_evolution_alarm_t $1_evolution_alarm_tmpfs_t:sock_file manage_sock_file_perms;
+	allow $1_evolution_alarm_t $1_evolution_alarm_tmpfs_t:fifo_file manage_fifo_file_perms;
 	fs_tmpfs_filetrans($1_evolution_alarm_t,$1_evolution_alarm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
 
 	allow $1_evolution_alarm_t $1_evolution_exchange_t:unix_stream_socket connectto;
@@ -488,7 +488,7 @@ template(`evolution_per_role_template',`
 	# Access evolution home
 	allow $1_evolution_alarm_t $1_evolution_home_t:dir manage_dir_perms;
 	allow $1_evolution_alarm_t $1_evolution_home_t:file manage_file_perms;
-	allow $1_evolution_alarm_t $1_evolution_home_t:lnk_file create_lnk_perms;
+	allow $1_evolution_alarm_t $1_evolution_home_t:lnk_file manage_lnk_file_perms;
 
 	allow $1_evolution_alarm_t $1_evolution_server_t:unix_stream_socket connectto;
 	allow $1_evolution_alarm_t $1_evolution_server_orbit_tmp_t:sock_file write;
@@ -564,7 +564,7 @@ template(`evolution_per_role_template',`
 	# Access evolution home
 	allow $1_evolution_exchange_t $1_evolution_home_t:dir manage_dir_perms;
 	allow $1_evolution_exchange_t $1_evolution_home_t:file manage_file_perms;
-	allow $1_evolution_exchange_t $1_evolution_home_t:lnk_file create_lnk_perms;
+	allow $1_evolution_exchange_t $1_evolution_home_t:lnk_file manage_lnk_file_perms;
 
 	allow $1_evolution_exchange_t $1_evolution_server_t:unix_stream_socket connectto;
 	allow $1_evolution_exchange_t $1_evolution_server_orbit_tmp_t:sock_file write;
@@ -576,9 +576,9 @@ template(`evolution_per_role_template',`
 
 	allow $1_evolution_exchange_t $1_evolution_exchange_tmpfs_t:dir rw_dir_perms;
 	allow $1_evolution_exchange_t $1_evolution_exchange_tmpfs_t:file manage_file_perms;
-	allow $1_evolution_exchange_t $1_evolution_exchange_tmpfs_t:lnk_file create_lnk_perms;
-	allow $1_evolution_exchange_t $1_evolution_exchange_tmpfs_t:sock_file manage_file_perms;
-	allow $1_evolution_exchange_t $1_evolution_exchange_tmpfs_t:fifo_file manage_file_perms;
+	allow $1_evolution_exchange_t $1_evolution_exchange_tmpfs_t:lnk_file manage_lnk_file_perms;
+	allow $1_evolution_exchange_t $1_evolution_exchange_tmpfs_t:sock_file manage_sock_file_perms;
+	allow $1_evolution_exchange_t $1_evolution_exchange_tmpfs_t:fifo_file manage_fifo_file_perms;
 	fs_tmpfs_filetrans($1_evolution_exchange_t,$1_evolution_exchange_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
 
 	allow $1_evolution_exchange_t $2:unix_stream_socket connectto;
@@ -664,7 +664,7 @@ template(`evolution_per_role_template',`
 	# Access evolution home
 	allow $1_evolution_server_t $1_evolution_home_t:dir manage_dir_perms;
 	allow $1_evolution_server_t $1_evolution_home_t:file manage_file_perms;
-	allow $1_evolution_server_t $1_evolution_home_t:lnk_file create_lnk_perms;
+	allow $1_evolution_server_t $1_evolution_home_t:lnk_file manage_lnk_file_perms;
 
 	allow $1_evolution_server_t $1_evolution_alarm_t:unix_stream_socket connectto;
 	allow $1_evolution_server_t $1_evolution_alarm_orbit_tmp_t:sock_file write;
@@ -747,9 +747,9 @@ template(`evolution_per_role_template',`
 	# X/evolution common stuff
 	allow $1_evolution_webcal_t $1_evolution_webcal_tmpfs_t:dir rw_dir_perms;
 	allow $1_evolution_webcal_t $1_evolution_webcal_tmpfs_t:file manage_file_perms;
-	allow $1_evolution_webcal_t $1_evolution_webcal_tmpfs_t:lnk_file create_lnk_perms;
-	allow $1_evolution_webcal_t $1_evolution_webcal_tmpfs_t:sock_file manage_file_perms;
-	allow $1_evolution_webcal_t $1_evolution_webcal_tmpfs_t:fifo_file manage_file_perms;
+	allow $1_evolution_webcal_t $1_evolution_webcal_tmpfs_t:lnk_file manage_lnk_file_perms;
+	allow $1_evolution_webcal_t $1_evolution_webcal_tmpfs_t:sock_file manage_sock_file_perms;
+	allow $1_evolution_webcal_t $1_evolution_webcal_tmpfs_t:fifo_file manage_fifo_file_perms;
 	fs_tmpfs_filetrans($1_evolution_webcal_t,$1_evolution_webcal_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
 
 	# Transition from user type

policy/modules/apps/games.if

@@ -158,7 +158,7 @@ template(`games_per_role_template',`
 		# FIXME: Change to use per app types
 		allow $1_games_t $1_gnome_settings_t:dir manage_dir_perms;
 		allow $1_games_t $1_gnome_settings_t:file manage_file_perms;
-		allow $1_games_t $1_gnome_settings_t:lnk_file create_lnk_perms;
+		allow $1_games_t $1_gnome_settings_t:lnk_file manage_lnk_file_perms;
 		#missing policy
 		optional_policy(`
 			dontaudit $1_games_t $1_mozilla_t:unix_stream_socket connectto;

policy/modules/kernel/devices.if

@@ -161,7 +161,6 @@ interface(`dev_create_generic_dirs',`
 		type device_t;
 	')
 
-	allow $1 device_t:dir { ra_dir_perms create };
 	create_dirs_pattern($1,device_t,device_t)
 ')
 

policy/modules/kernel/domain.if

@@ -90,7 +90,7 @@ interface(`domain_entry_file',`
 	')
 
 	allow $1 $2:file entrypoint;
-	allow $1 $2:file rx_file_perms;
+	allow $1 $2:file { mmap_file_perms ioctl lock };
 
 	typeattribute $2 entry_type;
 

policy/modules/kernel/domain.te

@@ -76,8 +76,8 @@ neverallow ~{ domain unlabeled_t } *:process *;
 #
 
 # read /proc/(pid|self) entries
-allow domain self:dir r_dir_perms;
-allow domain self:lnk_file r_file_perms;
+allow domain self:dir list_dir_perms;
+allow domain self:lnk_file { read_lnk_file_perms lock ioctl };
 allow domain self:file rw_file_perms;
 kernel_read_proc_symlinks(domain)
 
@@ -128,9 +128,9 @@ allow unconfined_domain_type domain:{ sem msgq shm } *;
 allow unconfined_domain_type domain:msg { send receive };
 
 # For /proc/pid
-allow unconfined_domain_type domain:dir r_dir_perms;
-allow unconfined_domain_type domain:file r_file_perms;
-allow unconfined_domain_type domain:lnk_file r_file_perms;
+allow unconfined_domain_type domain:dir list_dir_perms;
+allow unconfined_domain_type domain:file read_file_perms;
+allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
 
 # act on all domains keys
 allow unconfined_domain_type domain:key *;

policy/modules/kernel/files.if

@@ -1120,7 +1120,7 @@ interface(`files_list_root',`
 	')
 
 	allow $1 root_t:dir list_dir_perms;
-	allow $1 root_t:lnk_file r_file_perms;
+	allow $1 root_t:lnk_file { read_lnk_file_perms ioctl lock };
 ')
 
 ########################################
@@ -3556,7 +3556,7 @@ interface(`files_create_kernel_symbol_table',`
 		type boot_t, system_map_t;
 	')
 
-	allow $1 boot_t:dir ra_dir_perms;
+	allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms };
 	allow $1 system_map_t:file { rw_file_perms create };
 ')
 

policy/modules/kernel/kernel.te

@@ -182,25 +182,26 @@ allow kernel_t self:unix_dgram_socket create_socket_perms;
 allow kernel_t self:unix_stream_socket create_stream_socket_perms;
 allow kernel_t self:unix_dgram_socket sendto;
 allow kernel_t self:unix_stream_socket connectto;
-allow kernel_t self:fifo_file rw_file_perms;
-allow kernel_t self:sock_file r_file_perms;
+allow kernel_t self:fifo_file rw_fifo_file_perms;
+allow kernel_t self:sock_file read_sock_file_perms;
 allow kernel_t self:fd use;
 
-allow kernel_t proc_t:dir r_dir_perms;
-allow kernel_t proc_t:{ lnk_file file } r_file_perms;
+allow kernel_t proc_t:dir list_dir_perms;
+allow kernel_t proc_t:file read_file_perms;
+allow kernel_t proc_t:lnk_file read_lnk_file_perms;
 
-allow kernel_t proc_net_t:dir r_dir_perms;
-allow kernel_t proc_net_t:file r_file_perms;
+allow kernel_t proc_net_t:dir list_dir_perms;
+allow kernel_t proc_net_t:file read_file_perms;
 
-allow kernel_t proc_mdstat_t:file r_file_perms;
+allow kernel_t proc_mdstat_t:file read_file_perms;
 
 allow kernel_t proc_kcore_t:file getattr;
 
 allow kernel_t proc_kmsg_t:file getattr;
 
-allow kernel_t sysctl_kernel_t:dir r_dir_perms;
-allow kernel_t sysctl_kernel_t:file r_file_perms;
-allow kernel_t sysctl_t:dir r_dir_perms;
+allow kernel_t sysctl_kernel_t:dir list_dir_perms;
+allow kernel_t sysctl_kernel_t:file read_file_perms;
+allow kernel_t sysctl_t:dir list_dir_perms;
 
 # Other possible mount points for the root fs are in files
 allow kernel_t unlabeled_t:dir mounton;

policy/modules/services/cron.if

@@ -176,7 +176,7 @@ template(`cron_per_role_template',`
 
 	ifdef(`mta.te', `
 		domain_auto_trans($1_crond_t, sendmail_exec_t, $1_mail_t)
-		allow $1_crond_t sendmail_exec_t:lnk_file r_file_perms;
+		allow $1_crond_t sendmail_exec_t:lnk_file read_lnk_file_perms;
 
 		# $1_mail_t should only be reading from the cron fifo not needing to write
 		dontaudit $1_mail_t crond_t:fifo_file write;

policy/modules/services/dovecot.te

@@ -159,7 +159,7 @@ allow dovecot_auth_t dovecot_passwd_t:file { getattr read };
 manage_files_pattern(dovecot_t,dovecot_var_lib_t,dovecot_var_lib_t)
 files_search_var_lib(dovecot_t)
 
-allow dovecot_auth_t dovecot_var_run_t:dir r_dir_perms;
+allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms;
 
 kernel_read_all_sysctls(dovecot_auth_t)
 kernel_read_system_state(dovecot_auth_t)

policy/modules/services/ftp.if

@@ -84,7 +84,7 @@ interface(`ftp_check_exec',`
 	')
 
 	corecmd_search_bin($1)
-	allow $1 ftpd_exec_t:file x_file_perms;
+	allow $1 ftpd_exec_t:file { getattr execute };
 ')
 
 ########################################

policy/modules/services/postfix.if

@@ -49,7 +49,7 @@ template(`postfix_domain_template',`
 
 	can_exec(postfix_$1_t, postfix_$1_exec_t)
 
-	allow postfix_$1_t postfix_exec_t:file rx_file_perms;
+	allow postfix_$1_t postfix_exec_t:file { mmap_file_perms lock ioctl };
 
 	allow postfix_$1_t postfix_master_t:process sigchld;
 

policy/modules/services/postfix.te

@@ -104,7 +104,7 @@ allow postfix_master_t postfix_etc_t:file rw_file_perms;
 
 can_exec(postfix_master_t,postfix_exec_t)
 
-allow postfix_master_t postfix_map_exec_t:file rx_file_perms;
+allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms ioctl lock };
 
 allow postfix_master_t postfix_postdrop_exec_t:file getattr;
 

policy/modules/services/spamassassin.if

@@ -317,9 +317,6 @@ template(`spamassassin_per_role_template',`
 		mta_read_config($1_spamassassin_t)
 		sendmail_stub($1_spamassassin_t)
 	')
-
-	# For perl libraries.
-	allow $1_spamassassin_t lib_t:file rx_file_perms;
 ')
 
 ########################################

policy/modules/services/ssh.te

@@ -222,9 +222,6 @@ libs_use_shared_libs(ssh_keygen_t)
 
 logging_send_syslog_msg(ssh_keygen_t)
 
-allow ssh_keygen_t proc_t:dir r_dir_perms;
-allow ssh_keygen_t proc_t:lnk_file read;
-
 userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
 
 optional_policy(`

policy/modules/services/xserver.if

@@ -412,7 +412,7 @@ template(`xserver_per_role_template',`
 	allow $2 $1_iceauth_home_t:file manage_file_perms;
 	allow $2 $1_iceauth_home_t:file { relabelfrom relabelto };
 
-	allow xdm_t $1_iceauth_home_t:file r_file_perms;
+	allow xdm_t $1_iceauth_home_t:file read_file_perms;
 
 	fs_search_auto_mountpoints($1_iceauth_t)
 
@@ -1174,7 +1174,7 @@ interface(`xserver_dontaudit_read_xdm_tmp_files',`
 	')
 
 	dontaudit $1 xdm_tmp_t:dir search_dir_perms;
-	dontaudit $1 xdm_tmp_t:file r_file_perms;
+	dontaudit $1 xdm_tmp_t:file read_file_perms;
 ')
 
 ########################################

policy/modules/services/xserver.te

@@ -145,8 +145,8 @@ files_pid_filetrans(xdm_t,xdm_var_run_t,{ dir file fifo_file })
 allow xdm_t xdm_xserver_t:process signal;
 allow xdm_t xdm_xserver_t:unix_stream_socket connectto;
 
-allow xdm_t xdm_xserver_tmp_t:sock_file rw_file_perms;
-allow xdm_t xdm_xserver_tmp_t:dir { setattr r_dir_perms };
+allow xdm_t xdm_xserver_tmp_t:sock_file rw_sock_file_perms;
+allow xdm_t xdm_xserver_tmp_t:dir { setattr list_dir_perms };
 
 # transition to the xdm xserver
 domtrans_pattern(xdm_t, xserver_exec_t, xdm_xserver_t)

policy/modules/system/fstools.te

@@ -29,8 +29,8 @@ files_type(swapfile_t)
 allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_resource sys_tty_config dac_override dac_read_search };
 allow fsadm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execmem execheap };
 allow fsadm_t self:fd use;
-allow fsadm_t self:fifo_file rw_file_perms;
-allow fsadm_t self:sock_file r_file_perms;
+allow fsadm_t self:fifo_file rw_fifo_file_perms;
+allow fsadm_t self:sock_file read_sock_file_perms;
 allow fsadm_t self:unix_dgram_socket create_socket_perms;
 allow fsadm_t self:unix_stream_socket create_stream_socket_perms;
 allow fsadm_t self:unix_dgram_socket sendto;

policy/modules/system/locallogin.te

@@ -37,8 +37,8 @@ allow local_login_t self:capability { dac_override chown fowner fsetid kill setg
 allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow local_login_t self:process { setrlimit setexec };
 allow local_login_t self:fd use;
-allow local_login_t self:fifo_file rw_file_perms;
-allow local_login_t self:sock_file r_file_perms;
+allow local_login_t self:fifo_file rw_fifo_file_perms;
+allow local_login_t self:sock_file read_sock_file_perms;
 allow local_login_t self:unix_dgram_socket create_socket_perms;
 allow local_login_t self:unix_stream_socket create_stream_socket_perms;
 allow local_login_t self:unix_dgram_socket sendto;

policy/modules/system/logging.te

@@ -102,13 +102,12 @@ logging_send_syslog_msg(auditctl_t)
 allow auditd_t self:capability { audit_write audit_control fsetid sys_nice sys_resource };
 dontaudit auditd_t self:capability sys_tty_config;
 allow auditd_t self:process { signal_perms setpgid setsched };
-allow auditd_t self:file { getattr read write };
 allow auditd_t self:unix_dgram_socket create_socket_perms;
 allow auditd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };
-allow auditd_t self:fifo_file rw_file_perms;
+allow auditd_t self:fifo_file rw_fifo_file_perms;
 
 allow auditd_t auditd_etc_t:dir list_dir_perms;
-allow auditd_t auditd_etc_t:file r_file_perms;
+allow auditd_t auditd_etc_t:file read_file_perms;
 
 manage_files_pattern(auditd_t,auditd_log_t,auditd_log_t)
 manage_lnk_files_pattern(auditd_t,auditd_log_t,auditd_log_t)

policy/modules/system/modutils.te

@@ -49,7 +49,7 @@ allow insmod_t self:udp_socket create_socket_perms;
 allow insmod_t self:rawip_socket create_socket_perms; 
 
 # Read module config and dependency information
-allow insmod_t { modules_conf_t modules_dep_t }:file r_file_perms;
+allow insmod_t { modules_conf_t modules_dep_t }:file read_file_perms;
 
 can_exec(insmod_t, insmod_exec_t)
 

policy/modules/system/selinuxutil.te

@@ -517,9 +517,9 @@ allow setfiles_t self:capability { dac_override dac_read_search fowner };
 dontaudit setfiles_t self:capability sys_tty_config;
 allow setfiles_t self:fifo_file rw_file_perms;
 
-allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir r_dir_perms;
-allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms;
-allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms;
+allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir list_dir_perms;
+allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file read_file_perms;
+allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file { read_lnk_file_perms ioctl lock };
 
 kernel_read_system_state(setfiles_t)
 kernel_relabelfrom_unlabeled_dirs(setfiles_t)

policy/modules/system/userdomain.if

@@ -2667,7 +2667,7 @@ template(`userdom_dontaudit_read_user_tmp_files',`
 		type $1_tmp_t;
 	')
 
-	dontaudit $2 $1_tmp_t:file r_file_perms;
+	dontaudit $2 $1_tmp_t:file read_file_perms;
 ')
 
 ########################################
@@ -3491,7 +3491,7 @@ template(`userdom_dontaudit_read_user_tmp_untrusted_content_files',`
 		type $1_untrusted_content_tmp_t;
 	')
 
-	dontaudit $2 $1_untrusted_content_tmp_t:file r_file_perms;
+	dontaudit $2 $1_untrusted_content_tmp_t:file read_file_perms;
 ')
 
 ########################################

policy/support/file_patterns.spt

@@ -529,7 +529,7 @@ define(`relabel_chr_files_pattern',`
 # pattern(domain,dirtype,newtype,class(es))
 #
 define(`filetrans_add_pattern',`
-	allow $1 $2:dir ra_dir_perms;
+	allow $1 $2:dir { list_dir_perms add_entry_dir_perms };
 	type_transition $1 $2:$4 $3;
 ')
 

policy/support/misc_macros.spt

@@ -67,7 +67,7 @@ define(`gen_context',`$1`'ifdef(`enable_mls',`:$2')`'ifdef(`enable_mcs',`:s0`'if
 #
 # can_exec(domain,executable)
 #
-define(`can_exec',`allow $1 $2:file { rx_file_perms execute_no_trans };')
+define(`can_exec',`allow $1 $2:file { mmap_file_perms ioctl lock execute_no_trans };')
 
 ########################################
 #

policy/support/obj_perm_sets.spt

@@ -54,48 +54,42 @@ define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket un
 # 
 # Permissions for getting file attributes.
 #
-define(`stat_file_perms', `{ getattr }')
+define(`stat_file_perms', `{ getattr } refpolicywarn(`$0 is deprecated please use getattr_file_perms instead.')')
 
 # 
 # Permissions for executing files.
 #
-define(`x_file_perms', `{ getattr execute }')
+define(`x_file_perms', `{ getattr execute } refpolicywarn(`$0 is deprecated please use { getattr execute } instead.')')
 
 # 
 # Permissions for reading files and their attributes.
 #
-define(`r_file_perms', `{ read getattr lock ioctl }')
+define(`r_file_perms', `{ read getattr lock ioctl } refpolicywarn(`$0 is deprecated please use read_file_perms instead.')')
 
 # 
 # Permissions for reading and executing files.
 #
-define(`rx_file_perms', `{ read getattr lock execute ioctl }')
+define(`rx_file_perms', `{ read getattr lock execute ioctl } refpolicywarn(`$0 is deprecated please use { mmap_file_perms ioctl lock } instead.')')
 
 # 
 # Permissions for reading and appending to files.
 #
-define(`ra_file_perms', `{ ioctl read getattr lock append }')
+define(`ra_file_perms', `{ ioctl read getattr lock append } refpolicywarn(`$0 is deprecated please use { read_file_perms append_file_perms } instead.')')
 
 #
 # Permissions for linking, unlinking and renaming files.
 # 
-define(`link_file_perms', `{ getattr link unlink rename }')
+define(`link_file_perms', `{ getattr link unlink rename } refpolicywarn(`$0 is deprecated please use { getattr link unlink rename } instead.')')
 
 #
 # Permissions for creating lnk_files.
 #
-define(`create_lnk_perms', `{ create read getattr setattr link unlink rename }')
-
-#
-# Permissions for creating and using files.
-#
-# deprecated by new perm set below 
-#define(`create_file_perms', `{ create ioctl read getattr lock write setattr append link unlink rename }')
+define(`create_lnk_perms', `{ create read getattr setattr link unlink rename } refpolicywarn(`$0 is deprecated please use manage_lnk_file_perms instead.')')
 
 # 
 # Permissions for reading directories and their attributes.
 #
-define(`r_dir_perms', `{ read getattr lock search ioctl }')
+define(`r_dir_perms', `{ read getattr lock search ioctl } refpolicywarn(`$0 is deprecated please use list_dir_perms instead.')')
 
 # 
 # Permissions for reading and writing directories and their attributes.
@@ -105,15 +99,9 @@ define(`rw_dir_perms', `{ read getattr lock search ioctl add_name remove_name wr
 # 
 # Permissions for reading and adding names to directories.
 #
-define(`ra_dir_perms', `{ read getattr lock search ioctl add_name write }')
+define(`ra_dir_perms', `{ read getattr lock search ioctl add_name write } refpolicywarn(`$0 is deprecated please use { list_dir_perms add_entry_dir_perms } instead.')')
 
 
-#
-# Permissions for creating and using directories.
-#
-# deprecated by new perm set below
-#define(`create_dir_perms', `{ create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }')
-
 #
 # Permissions to mount and unmount file systems.
 #