Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

policy/modules/services/gpm.if

@@ -37,7 +37,7 @@ interface(`gpm_getattr_gpmctl',`
 	')
 
 	dev_list_all_dev_nodes($1)
-	allow $1 gpmctl_t:sock_file getattr;
+	allow $1 gpmctl_t:sock_file getattr_sock_file_perms;
 ')
 
 ########################################
@@ -57,7 +57,7 @@ interface(`gpm_dontaudit_getattr_gpmctl',`
 		type gpmctl_t;
 	')
 
-	dontaudit $1 gpmctl_t:sock_file getattr;
+	dontaudit $1 gpmctl_t:sock_file getattr_sock_file_perms;
 ')
 
 ########################################
@@ -77,5 +77,5 @@ interface(`gpm_setattr_gpmctl',`
 	')
 
 	dev_list_all_dev_nodes($1)
-	allow $1 gpmctl_t:sock_file setattr;
+	allow $1 gpmctl_t:sock_file setattr_sock_file_perms;
 ')

policy/modules/services/kerberos.if

@@ -103,7 +103,7 @@ interface(`kerberos_use',`
 		corenet_sendrecv_kerberos_client_packets($1)
 		corenet_sendrecv_ocsp_client_packets($1)
 
-		allow $1 krb5_host_rcache_t:file getattr;
+		allow $1 krb5_host_rcache_t:file getattr_file_perms;
 	')
 
 	optional_policy(`

policy/modules/services/likewise.if

@@ -63,7 +63,7 @@ template(`likewise_domain_template',`
 	allow $1_t self:tcp_socket create_stream_socket_perms;
 	allow $1_t self:udp_socket create_socket_perms;
 
-	allow $1_t likewise_var_lib_t:dir setattr;
+	allow $1_t likewise_var_lib_t:dir setattr_dir_perms;
 
 	manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
 	files_pid_filetrans($1_t, $1_var_run_t, file)

policy/modules/services/mta.if

@@ -168,7 +168,7 @@ interface(`mta_role',`
 
 	# Transition from the user domain to the derived domain.
 	domtrans_pattern($2, sendmail_exec_t, user_mail_t)
-	allow $2 sendmail_exec_t:lnk_file { getattr read };
+	allow $2 sendmail_exec_t:lnk_file read_lnk_file_perms;
 
 	allow mta_user_agent $2:fd use;
 	allow mta_user_agent $2:process sigchld;
@@ -512,7 +512,7 @@ interface(`mta_write_config',`
 	')
 
 	manage_files_pattern($1, etc_mail_t, etc_mail_t)
-	allow $1 etc_mail_t:file setattr;
+	allow $1 etc_mail_t:file setattr_file_perms;
 ')
 
 ########################################
@@ -590,7 +590,7 @@ interface(`mta_rw_aliases',`
 	')
 
 	files_search_etc($1)
-	allow $1 etc_aliases_t:file { rw_file_perms setattr };
+	allow $1 etc_aliases_t:file { rw_file_perms setattr_file_perms };
 ')
 
 #######################################
@@ -684,8 +684,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
 
 	files_dontaudit_search_spool($1)
 	dontaudit $1 mail_spool_t:dir search_dir_perms;
-	dontaudit $1 mail_spool_t:lnk_file read;
-	dontaudit $1 mail_spool_t:file getattr;
+	dontaudit $1 mail_spool_t:lnk_file read_lnk_file_perms;
+	dontaudit $1 mail_spool_t:file getattr_file_perms;
 ')
 
 #######################################
@@ -735,7 +735,7 @@ interface(`mta_rw_spool',`
 
 	files_search_spool($1)
 	allow $1 mail_spool_t:dir list_dir_perms;
-	allow $1 mail_spool_t:file setattr;
+	allow $1 mail_spool_t:file setattr_file_perms;
 	manage_files_pattern($1, mail_spool_t, mail_spool_t)
 	read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
 ')
@@ -876,7 +876,7 @@ interface(`mta_dontaudit_rw_queue',`
 	')
 
 	dontaudit $1 mqueue_spool_t:dir search_dir_perms;
-	dontaudit $1 mqueue_spool_t:file { getattr read write };
+	dontaudit $1 mqueue_spool_t:file rw_file_perms;
 ')
 
 ########################################

policy/modules/services/munin.if

@@ -78,7 +78,7 @@ interface(`munin_read_config',`
 
 	allow $1 munin_etc_t:dir list_dir_perms;
 	allow $1 munin_etc_t:file read_file_perms;
-	allow $1 munin_etc_t:lnk_file { getattr read };
+	allow $1 munin_etc_t:lnk_file read_lnk_file_perms;
 	files_search_etc($1)
 ')
 

policy/modules/services/mysql.if

@@ -253,7 +253,7 @@ interface(`mysql_write_log',`
 	')
 
 	logging_search_logs($1)
-	allow $1 mysqld_log_t:file { write_file_perms setattr };
+	allow $1 mysqld_log_t:file { write_file_perms setattr_file_perms };
 ')
 
 ######################################

policy/modules/services/nis.if

@@ -34,7 +34,7 @@ interface(`nis_use_ypbind_uncond',`
 	allow $1 self:udp_socket create_socket_perms;
 
 	allow $1 var_yp_t:dir list_dir_perms;
-	allow $1 var_yp_t:lnk_file { getattr read };
+	allow $1 var_yp_t:lnk_file read_lnk_file_perms;
 	allow $1 var_yp_t:file read_file_perms;
 
 	corenet_all_recvfrom_unlabeled($1)

policy/modules/services/nscd.if

@@ -116,7 +116,7 @@ interface(`nscd_socket_use',`
 	dontaudit $1 nscd_t:nscd { getserv shmempwd shmemgrp shmemhost shmemserv };
 	files_search_pids($1)
 	stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t)
-	dontaudit $1 nscd_var_run_t:file { getattr read };
+	dontaudit $1 nscd_var_run_t:file read_file_perms;
 ')
 
 ########################################
@@ -171,7 +171,7 @@ interface(`nscd_shm_use',`
 	stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t)
 	files_search_pids($1)
 	allow $1 nscd_t:nscd { getpwd getgrp gethost };
-	dontaudit $1 nscd_var_run_t:file { getattr read };
+	dontaudit $1 nscd_var_run_t:file read_file_perms;
 ')
 
 ########################################