From 4d71bc3534f501ec83e9a03aff66ba5739a0e63d Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@redhat.com>
Date: Sep 15 2010 20:06:43 +0000
Subject: Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy


---

diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te
index 23ef05f..dd4cd30 100644
--- a/policy/modules/admin/logrotate.te
+++ b/policy/modules/admin/logrotate.te
@@ -127,7 +127,7 @@ cron_search_spool(logrotate_t)
 mta_send_mail(logrotate_t)
 
 ifdef(`distro_debian', `
-	allow logrotate_t logrotate_tmp_t:file { relabelfrom relabelto };
+	allow logrotate_t logrotate_tmp_t:file relabel_file_perms;
 	# for savelog
 	can_exec(logrotate_t, logrotate_exec_t)
 
diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te
index cdbadda..0faba2a 100644
--- a/policy/modules/admin/prelink.te
+++ b/policy/modules/admin/prelink.te
@@ -63,7 +63,7 @@ files_search_var_lib(prelink_t)
 
 # prelink misc objects that are not system
 # libraries or entrypoints
-allow prelink_t prelink_object:file { manage_file_perms execute relabelto relabelfrom };
+allow prelink_t prelink_object:file { manage_file_perms execute relabel_file_perms };
 
 kernel_read_system_state(prelink_t)
 kernel_read_kernel_sysctls(prelink_t)
diff --git a/policy/modules/apps/pulseaudio.if b/policy/modules/apps/pulseaudio.if
index 15fef11..9f12b51 100644
--- a/policy/modules/apps/pulseaudio.if
+++ b/policy/modules/apps/pulseaudio.if
@@ -17,7 +17,7 @@
 #
 interface(`pulseaudio_role',`
 	gen_require(`
-		type pulseaudio_t, pulseaudio_exec_t, print_spool_t;
+		type pulseaudio_t, pulseaudio_exec_t;
 		class dbus { acquire_svc send_msg };
 	')
 
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
index f9930a3..87a6942 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -336,7 +336,7 @@ interface(`term_relabel_console',`
 	')
 
 	dev_list_all_dev_nodes($1)
-	allow $1 console_device_t:chr_file { relabelfrom relabelto };
+	allow $1 console_device_t:chr_file relabel_chr_file_perms;
 ')
 
 ########################################
@@ -1118,7 +1118,7 @@ interface(`term_relabel_unallocated_ttys',`
 	')
 
 	dev_list_all_dev_nodes($1)
-	allow $1 tty_device_t:chr_file { relabelfrom relabelto };
+	allow $1 tty_device_t:chr_file relabel_chr_file_perms;
 ')
 
 ########################################
@@ -1300,7 +1300,7 @@ interface(`term_relabel_all_ttys',`
 	')
 
 	dev_list_all_dev_nodes($1)
-	allow $1 ttynode:chr_file { relabelfrom relabelto };
+	allow $1 ttynode:chr_file relabel_chr_file_perms;
 ')
 
 ########################################
diff --git a/policy/modules/services/abrt.if b/policy/modules/services/abrt.if
index 8a5d6a4..022c079 100644
--- a/policy/modules/services/abrt.if
+++ b/policy/modules/services/abrt.if
@@ -71,6 +71,7 @@ interface(`abrt_read_state',`
 		type abrt_t;
 	')
 
+	kernel_search_proc($1)
 	ps_process_pattern($1, abrt_t)
 ')
 
diff --git a/policy/modules/services/accountsd.if b/policy/modules/services/accountsd.if
index c0f858d..b46f76f 100644
--- a/policy/modules/services/accountsd.if
+++ b/policy/modules/services/accountsd.if
@@ -138,7 +138,7 @@ interface(`accountsd_admin',`
 		type accountsd_t;
 	')
 
-	allow $1 accountsd_t:process { ptrace signal_perms getattr };
+	allow $1 accountsd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, accountsd_t)
 
 	accountsd_manage_lib_files($1)
diff --git a/policy/modules/services/afs.if b/policy/modules/services/afs.if
index 8559cdc..49c0cc8 100644
--- a/policy/modules/services/afs.if
+++ b/policy/modules/services/afs.if
@@ -97,8 +97,8 @@ interface(`afs_admin',`
 		type afs_t, afs_initrc_exec_t;
 	')
 
-	allow $1 afs_t:process { ptrace signal_perms getattr };
-	read_files_pattern($1, afs_t, afs_t)
+	allow $1 afs_t:process { ptrace signal_perms };
+	ps_process_pattern($1, afs_t)
 
 	# Allow afs_admin to restart the afs service
 	afs_initrc_domtrans($1)
diff --git a/policy/modules/services/arpwatch.if b/policy/modules/services/arpwatch.if
index c804110..bdefbe1 100644
--- a/policy/modules/services/arpwatch.if
+++ b/policy/modules/services/arpwatch.if
@@ -137,7 +137,7 @@ interface(`arpwatch_admin',`
 		type arpwatch_initrc_exec_t;
 	')
 
-	allow $1 arpwatch_t:process { ptrace signal_perms getattr };
+	allow $1 arpwatch_t:process { ptrace signal_perms };
 	ps_process_pattern($1, arpwatch_t)
 
 	arpwatch_initrc_domtrans($1)
diff --git a/policy/modules/services/asterisk.if b/policy/modules/services/asterisk.if
index 8b8143e..c1a2b96 100644
--- a/policy/modules/services/asterisk.if
+++ b/policy/modules/services/asterisk.if
@@ -64,7 +64,7 @@ interface(`asterisk_admin',`
 		type asterisk_initrc_exec_t;
 	')
 
-	allow $1 asterisk_t:process { ptrace signal_perms getattr };
+	allow $1 asterisk_t:process { ptrace signal_perms };
 	ps_process_pattern($1, asterisk_t)
 
 	init_labeled_script_domtrans($1, asterisk_initrc_exec_t)
diff --git a/policy/modules/services/automount.if b/policy/modules/services/automount.if
index d80a16b..f384848 100644
--- a/policy/modules/services/automount.if
+++ b/policy/modules/services/automount.if
@@ -68,7 +68,8 @@ interface(`automount_read_state',`
 		type automount_t;
 	')
 
-	read_files_pattern($1, automount_t, automount_t)
+	kernel_search_proc($1)
+	ps_process_pattern($1, automount_t)
 ')
 
 ########################################
@@ -149,7 +150,7 @@ interface(`automount_admin',`
 		type automount_var_run_t, automount_initrc_exec_t;
 	')
 
-	allow $1 automount_t:process { ptrace signal_perms getattr };
+	allow $1 automount_t:process { ptrace signal_perms };
 	ps_process_pattern($1, automount_t)
 
 	init_labeled_script_domtrans($1, automount_initrc_exec_t)
diff --git a/policy/modules/services/boinc.if b/policy/modules/services/boinc.if
index 9f4885c..272bf74 100644
--- a/policy/modules/services/boinc.if
+++ b/policy/modules/services/boinc.if
@@ -138,8 +138,8 @@ interface(`boinc_admin',`
 		type boinc_var_lib_t;
 	')
 
-	allow $1 boinc_t:process { ptrace signal_perms getattr };
-	read_files_pattern($1, boinc_t, boinc_t)
+	allow $1 boinc_t:process { ptrace signal_perms };
+	ps_process_pattern($1, boinc_t)
 
 	boinc_initrc_domtrans($1)
 	domain_system_change_exemption($1)
diff --git a/policy/modules/services/cobbler.if b/policy/modules/services/cobbler.if
index 1bdfe84..b2198bb 100644
--- a/policy/modules/services/cobbler.if
+++ b/policy/modules/services/cobbler.if
@@ -191,8 +191,8 @@ interface(`cobblerd_admin',`
 		type httpd_cobbler_content_rw_t;
 	')
 
-	allow $1 cobblerd_t:process { ptrace signal_perms getattr };
-	read_files_pattern($1, cobblerd_t, cobblerd_t)
+	allow $1 cobblerd_t:process { ptrace signal_perms };
+	ps_process_pattern($1, cobblerd_t)
 
 	files_search_etc($1)
 	admin_pattern($1, cobbler_etc_t)
diff --git a/policy/modules/services/courier.if b/policy/modules/services/courier.if
index 9971337..efbc8af 100644
--- a/policy/modules/services/courier.if
+++ b/policy/modules/services/courier.if
@@ -42,7 +42,6 @@ template(`courier_domain_template',`
 	manage_files_pattern(courier_$1_t, courier_var_run_t, courier_var_run_t)
 	manage_lnk_files_pattern(courier_$1_t, courier_var_run_t, courier_var_run_t)
 	manage_sock_files_pattern(courier_$1_t, courier_var_run_t, courier_var_run_t)
-	files_search_pids(courier_$1_t)
 	files_pid_filetrans(courier_$1_t, courier_var_run_t, dir)
 
 	kernel_read_system_state(courier_$1_t)
diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if
index cbd01be..9822074 100644
--- a/policy/modules/services/cron.if
+++ b/policy/modules/services/cron.if
@@ -13,7 +13,8 @@
 #
 template(`cron_common_crontab_template',`
 	gen_require(`
-		type crond_t, crond_var_run_t;
+		type crond_t, crond_var_run_t, crontab_exec_t;
+		type cron_spool_t, user_cron_spool_t;
 	')
 
 	##############################
@@ -673,7 +674,6 @@ interface(`cron_dontaudit_write_system_job_tmp_files',`
 	gen_require(`
 		type system_cronjob_tmp_t;
 		type cron_var_run_t;
-		type system_cronjob_var_run_t;
 	')
 
 	dontaudit $1 system_cronjob_tmp_t:file write_file_perms;
diff --git a/policy/modules/services/devicekit.if b/policy/modules/services/devicekit.if
index f706b99..70cf018 100644
--- a/policy/modules/services/devicekit.if
+++ b/policy/modules/services/devicekit.if
@@ -165,13 +165,13 @@ interface(`devicekit_admin',`
 		type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t;
 	')
 
-	allow $1 devicekit_t:process { ptrace signal_perms getattr };
+	allow $1 devicekit_t:process { ptrace signal_perms };
 	ps_process_pattern($1, devicekit_t)
 
-	allow $1 devicekit_disk_t:process { ptrace signal_perms getattr };
+	allow $1 devicekit_disk_t:process { ptrace signal_perms };
 	ps_process_pattern($1, devicekit_disk_t)
 
-	allow $1 devicekit_power_t:process { ptrace signal_perms getattr };
+	allow $1 devicekit_power_t:process { ptrace signal_perms };
 	ps_process_pattern($1, devicekit_power_t)
 
 	admin_pattern($1, devicekit_tmp_t)
diff --git a/policy/modules/services/dhcp.if b/policy/modules/services/dhcp.if
index 5e2cea8..aa4da1d 100644
--- a/policy/modules/services/dhcp.if
+++ b/policy/modules/services/dhcp.if
@@ -77,7 +77,7 @@ interface(`dhcpd_initrc_domtrans',`
 #
 interface(`dhcpd_admin',`
 	gen_require(`
-		type dhcpd_t; type dhcpd_tmp_t;	type dhcpd_state_t;
+		type dhcpd_t, dhcpd_tmp_t, dhcpd_state_t;
 		type dhcpd_var_run_t, dhcpd_initrc_exec_t;
 	')
 
diff --git a/policy/modules/services/exim.if b/policy/modules/services/exim.if
index 0217906..1685c5d 100644
--- a/policy/modules/services/exim.if
+++ b/policy/modules/services/exim.if
@@ -235,8 +235,8 @@ interface(`exim_admin', `
 		type exim_tmp_t, exim_spool_t,  exim_var_run_t;
 	')
 
-	allow $1 exim_t:process { ptrace signal_perms getattr };
-	read_files_pattern($1, exim_t, exim_t)	
+	allow $1 exim_t:process { ptrace signal_perms };
+	ps_process_pattern($1, exim_t)
 
 	exim_initrc_domtrans($1)
 	domain_system_change_exemption($1)
diff --git a/policy/modules/services/fetchmail.if b/policy/modules/services/fetchmail.if
index 6537214..7d64c0a 100644
--- a/policy/modules/services/fetchmail.if
+++ b/policy/modules/services/fetchmail.if
@@ -18,6 +18,7 @@ interface(`fetchmail_admin',`
 		type fetchmail_var_run_t;
 	')
 
+	allow $1 fetchmail_t:process { ptrace signal_perms };
 	ps_process_pattern($1, fetchmail_t)
 
 	files_list_etc($1)
diff --git a/policy/modules/services/hal.if b/policy/modules/services/hal.if
index 5b9771e..0d50d0d 100644
--- a/policy/modules/services/hal.if
+++ b/policy/modules/services/hal.if
@@ -51,6 +51,7 @@ interface(`hal_read_state',`
 		type hald_t;
 	')
 
+	kernel_search_proc($1)
 	ps_process_pattern($1, hald_t)
 ')
 
@@ -382,7 +383,7 @@ interface(`hal_read_pid_files',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
@@ -457,7 +458,7 @@ interface(`hal_manage_pid_files',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
diff --git a/policy/modules/services/hddtemp.if b/policy/modules/services/hddtemp.if
index 87b4531..777b036 100644
--- a/policy/modules/services/hddtemp.if
+++ b/policy/modules/services/hddtemp.if
@@ -70,8 +70,4 @@ interface(`hddtemp_admin',`
 
 	admin_pattern($1, hddtemp_etc_t)
 	files_search_etc($1)
-
-	allow $1 hddtemp_t:dir list_dir_perms;
-	read_lnk_files_pattern($1, hddtemp_t, hddtemp_t)
-	kernel_search_proc($1)
 ')
diff --git a/policy/modules/services/icecast.if b/policy/modules/services/icecast.if
index ecab47a..3aa86f3 100644
--- a/policy/modules/services/icecast.if
+++ b/policy/modules/services/icecast.if
@@ -173,6 +173,7 @@ interface(`icecast_admin',`
 		type icecast_t, icecast_initrc_exec_t;
 	')
 
+	allow $1 icecast_t:process { ptrace signal_perms };
 	ps_process_pattern($1, icecast_t)
 
 	# Allow icecast_t to restart the apache service
diff --git a/policy/modules/services/jabber.if b/policy/modules/services/jabber.if
index 2873e8f..f17e629 100644
--- a/policy/modules/services/jabber.if
+++ b/policy/modules/services/jabber.if
@@ -61,7 +61,7 @@ interface(`jabberd_read_lib_files',`
 ## </summary>
 ## <param name="domain">
 ##      <summary>
-##      Domain allowed access.
+##      Domain to not audit.
 ##      </summary>
 ## </param>
 #
diff --git a/policy/modules/services/ldap.if b/policy/modules/services/ldap.if
index e5684f4..d15f94d 100644
--- a/policy/modules/services/ldap.if
+++ b/policy/modules/services/ldap.if
@@ -126,11 +126,10 @@ interface(`ldap_stream_connect',`
 	')
 
 	files_search_pids($1)
-	allow $1 slapd_var_run_t:sock_file write;
-	allow $1 slapd_t:unix_stream_socket connectto;
+	stream_connect_pattern($1, slapd_var_run_t, slapd_var_run_t, slapd_t)
 
 	optional_policy(`
-		ldap_stream_connect_dirsrv($1)	
+		ldap_stream_connect_dirsrv($1)
 	')
 ')
 
@@ -150,8 +149,7 @@ interface(`ldap_stream_connect_dirsrv',`
 	')
 
 	files_search_pids($1)
-	allow $1 dirsrv_var_run_t:sock_file write;
-	allow $1 dirsrv_t:unix_stream_socket connectto;
+	stream_connect_pattern($1, dirsrv_var_run_t, dirsrv_var_run_t, dirsrv_t)
 ')
 
 ########################################
diff --git a/policy/modules/services/lpd.if b/policy/modules/services/lpd.if
index a4f32f5..d801ec0 100644
--- a/policy/modules/services/lpd.if
+++ b/policy/modules/services/lpd.if
@@ -153,7 +153,7 @@ interface(`lpd_relabel_spool',`
 	')
 
 	files_search_spool($1)
-	allow $1 print_spool_t:file { relabelto relabelfrom };
+	allow $1 print_spool_t:file relabel_file_perms;
 ')
 
 ########################################
diff --git a/policy/modules/services/memcached.if b/policy/modules/services/memcached.if
index c28a876..ee60e59 100644
--- a/policy/modules/services/memcached.if
+++ b/policy/modules/services/memcached.if
@@ -70,5 +70,6 @@ interface(`memcached_admin',`
 	role_transition $2 memcached_initrc_exec_t system_r;
 	allow $2 system_r;
 
+	files_search_pids($1)
 	admin_pattern($1, memcached_var_run_t)
 ')
diff --git a/policy/modules/services/mpd.if b/policy/modules/services/mpd.if
index 07dac12..5599d14 100644
--- a/policy/modules/services/mpd.if
+++ b/policy/modules/services/mpd.if
@@ -53,7 +53,6 @@ interface(`mpd_read_data_files',`
                 type mpd_data_t;
         ')
 
-        files_search_var_lib($1)
 	mpd_search_lib($1)
         read_files_pattern($1, mpd_data_t, mpd_data_t)
 ')
@@ -73,8 +72,7 @@ interface(`mpd_read_tmpfs_files',`
                 type mpd_tmpfs_t;
         ')
 
-        files_search_var_lib($1)
-	mpd_search_lib($1)
+	fs_search_tmpfs($1)
         read_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t)
 ')
 
@@ -93,8 +91,7 @@ interface(`mpd_manage_tmpfs_files',`
                 type mpd_tmpfs_t;
         ')
 
-	files_search_var_lib($1)
-	mpd_search_lib($1)
+	fs_search_tmpfs($1)
         manage_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t)
         manage_lnk_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t)
 ')
@@ -114,7 +111,6 @@ interface(`mpd_manage_data_files',`
                 type mpd_data_t;
         ')
 
-        files_search_var_lib($1)
         mpd_search_lib($1)
         manage_files_pattern($1, mpd_data_t, mpd_data_t)
 ')
@@ -250,6 +246,7 @@ interface(`mpd_admin',`
 		type mpd_data_t;
 		type mpd_log_t;
                 type mpd_var_lib_t;
+		type mpd_tmpfs_t;
 	')
 
 	allow $1 mpd_t:process { ptrace signal_perms };
@@ -271,4 +268,6 @@ interface(`mpd_admin',`
 
 	admin_pattern($1, mpd_log_t)
 
+	fs_search_tmpfs($1)
+	admin_pattern($1, mpd_tmpfs_t)
 ')
diff --git a/policy/modules/services/munin.if b/policy/modules/services/munin.if
index 5046738..dda8ca9 100644
--- a/policy/modules/services/munin.if
+++ b/policy/modules/services/munin.if
@@ -57,9 +57,8 @@ interface(`munin_stream_connect',`
 		type munin_var_run_t, munin_t;
 	')
 
-	allow $1 munin_t:unix_stream_socket connectto;
-	allow $1 munin_var_run_t:sock_file { getattr write };
 	files_search_pids($1)
+	stream_connect_pattern($1, munin_var_run_t, munin_var_run_t, munin_t)
 ')
 
 #######################################
diff --git a/policy/modules/services/mysql.if b/policy/modules/services/mysql.if
index e9c0982..b81e257 100644
--- a/policy/modules/services/mysql.if
+++ b/policy/modules/services/mysql.if
@@ -73,6 +73,7 @@ interface(`mysql_stream_connect',`
 		type mysqld_t, mysqld_var_run_t, mysqld_db_t;
 	')
 
+	files_search_pids($1)
 	stream_connect_pattern($1, mysqld_var_run_t, mysqld_var_run_t, mysqld_t)
 	stream_connect_pattern($1, mysqld_db_t, mysqld_var_run_t, mysqld_t)
 ')
diff --git a/policy/modules/services/nslcd.if b/policy/modules/services/nslcd.if
index 23c769c..b94add1 100644
--- a/policy/modules/services/nslcd.if
+++ b/policy/modules/services/nslcd.if
@@ -106,9 +106,9 @@ interface(`nslcd_admin',`
 	role_transition $2 nslcd_initrc_exec_t system_r;
 	allow $2 system_r;
 
-	manage_files_pattern($1, nslcd_conf_t, nslcd_conf_t)
+	files_search_etc($1)
+	admin_pattern($1, nslcd_conf_t)
 
-	manage_dirs_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
-	manage_files_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
-	manage_lnk_files_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
+	files_search_pids($1)
+	admin_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
 ')
diff --git a/policy/modules/services/ntp.if b/policy/modules/services/ntp.if
index e80f8c0..6b240d9 100644
--- a/policy/modules/services/ntp.if
+++ b/policy/modules/services/ntp.if
@@ -144,7 +144,7 @@ interface(`ntp_admin',`
 		type ntpd_initrc_exec_t;
 	')
 
-	allow $1 ntpd_t:process { ptrace signal_perms getattr };
+	allow $1 ntpd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, ntpd_t)
 
 	init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
diff --git a/policy/modules/services/oddjob.if b/policy/modules/services/oddjob.if
index 85f6ada..ca33ae3 100644
--- a/policy/modules/services/oddjob.if
+++ b/policy/modules/services/oddjob.if
@@ -29,7 +29,7 @@ interface(`oddjob_domtrans',`
 ## </summary>
 ## <param name="domain">
 ##      <summary>
-##      Domain allowed access.
+##      Domain to not audit.
 ##      </summary>
 ## </param>
 #
diff --git a/policy/modules/services/pads.if b/policy/modules/services/pads.if
index 8ac407e..4452d3b 100644
--- a/policy/modules/services/pads.if
+++ b/policy/modules/services/pads.if
@@ -39,6 +39,9 @@ interface(`pads_admin', `
 	role_transition $2 pads_initrc_exec_t system_r;
 	allow $2 system_r;
 
+	files_search_pids($1)
 	admin_pattern($1, pads_var_run_t)
+
+	files_search_etc($1)
 	admin_pattern($1, pads_config_t)
 ')
diff --git a/policy/modules/services/plymouthd.if b/policy/modules/services/plymouthd.if
index 9759ed8..fecc0dc 100644
--- a/policy/modules/services/plymouthd.if
+++ b/policy/modules/services/plymouthd.if
@@ -249,12 +249,14 @@ interface(`plymouthd_admin', `
 		type plymouthd_var_run_t;
 	')
 
-	allow $1 plymouthd_t:process { ptrace signal_perms getattr };
-	read_files_pattern($1, plymouthd_t, plymouthd_t)
+	allow $1 plymouthd_t:process { ptrace signal_perms };
+	ps_process_pattern($1, plymouthd_t)
 
+	files_search_var_lib($1)
 	admin_pattern($1, plymouthd_spool_t)
 
 	admin_pattern($1, plymouthd_var_lib_t)
 
+	files_search_pids($1)
 	admin_pattern($1, plymouthd_var_run_t)
 ')
diff --git a/policy/modules/services/portreserve.if b/policy/modules/services/portreserve.if
index 4af4422..d91c1f5 100644
--- a/policy/modules/services/portreserve.if
+++ b/policy/modules/services/portreserve.if
@@ -105,8 +105,8 @@ interface(`portreserve_admin', `
 		type portreserve_initrc_exec_t, portreserve_var_run_t;
 	')
 
-	allow $1 portreserve_t:process { ptrace signal_perms getattr };
-	read_files_pattern($1,  portreserve_t,  portreserve_t)
+	allow $1 portreserve_t:process { ptrace signal_perms };
+	ps_process_pattern($1, portreserve_t)
 	
 	portreserve_initrc_domtrans($1)
 	domain_system_change_exemption($1)
diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if
index b6d763d..cfcbac7 100644
--- a/policy/modules/services/postfix.if
+++ b/policy/modules/services/postfix.if
@@ -691,26 +691,26 @@ interface(`postfix_admin', `
 		type postfix_map_tmp_t, postfix_prng_t, postfix_public_t;
 	')
 
-	allow $1 postfix_bounce_t:process { ptrace signal_perms getattr };
-	read_files_pattern($1, postfix_bounce_t, postfix_bounce_t)
+	allow $1 postfix_bounce_t:process { ptrace signal_perms };
+	ps_process_pattern($1, postfix_bounce_t)
 
-	allow $1 postfix_cleanup_t:process { ptrace signal_perms getattr };
-	read_files_pattern($1, postfix_cleanup_t, postfix_cleanup_t)
+	allow $1 postfix_cleanup_t:process { ptrace signal_perms };
+	ps_process_pattern($1, postfix_cleanup_t)
 
-	allow $1 postfix_local_t:process { ptrace signal_perms getattr };
-	read_files_pattern($1, postfix_local_t, postfix_local_t)
+	allow $1 postfix_local_t:process { ptrace signal_perms };
+	ps_process_pattern($1, postfix_local_t)
 
-	allow $1 postfix_master_t:process { ptrace signal_perms getattr };
-	read_files_pattern($1, postfix_master_t, postfix_master_t)
+	allow $1 postfix_master_t:process { ptrace signal_perms };
+	ps_process_pattern($1, postfix_master_t)
 
-	allow $1 postfix_pickup_t:process { ptrace signal_perms getattr };
-	read_files_pattern($1, postfix_pickup_t, postfix_pickup_t)
+	allow $1 postfix_pickup_t:process { ptrace signal_perms };
+	ps_process_pattern($1, postfix_pickup_t)
 
-	allow $1 postfix_qmgr_t:process { ptrace signal_perms getattr };
-	read_files_pattern($1, postfix_qmgr_t, postfix_qmgr_t)
+	allow $1 postfix_qmgr_t:process { ptrace signal_perms };
+	ps_process_pattern($1, postfix_qmgr_t)
 
-	allow $1 postfix_smtpd_t:process { ptrace signal_perms getattr };
-	read_files_pattern($1, postfix_smtpd_t, postfix_smtpd_t)
+	allow $1 postfix_smtpd_t:process { ptrace signal_perms };
+	ps_process_pattern($1, postfix_smtpd_t)
 
 	postfix_run_map($1,$2)
 	postfix_run_postdrop($1,$2)
diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if
index 539a7c9..2c6b723 100644
--- a/policy/modules/services/postgresql.if
+++ b/policy/modules/services/postgresql.if
@@ -312,10 +312,8 @@ interface(`postgresql_stream_connect',`
 	')
 
 	files_search_pids($1)
-	allow $1 postgresql_t:unix_stream_socket connectto;
-	allow $1 postgresql_var_run_t:sock_file write;
-	# Some versions of postgresql put the sock file in /tmp
-	allow $1 postgresql_tmp_t:sock_file write;
+	files_search_tmp($1)
+	stream_connect_pattern($1, { postgresql_var_run_t postgresql_tmp_t}, { postgresql_var_run_t postgresql_tmp_t}, postgresql_t)
 ')
 
 ########################################
@@ -441,10 +439,13 @@ interface(`postgresql_admin',`
 
 	admin_pattern($1, postgresql_var_run_t)
 
+	files_search_var_lib($1)
 	admin_pattern($1, postgresql_db_t)
 
+	files_search_etc($1)
 	admin_pattern($1, postgresql_etc_t)
 
+	logging_search_logs($1)
 	admin_pattern($1, postgresql_log_t)
 
 	admin_pattern($1, postgresql_tmp_t)
diff --git a/policy/modules/services/ppp.if b/policy/modules/services/ppp.if
index b524673..f916c76 100644
--- a/policy/modules/services/ppp.if
+++ b/policy/modules/services/ppp.if
@@ -360,7 +360,7 @@ interface(`ppp_admin',`
  		type pppd_initrc_exec_t;
 	')
 
-	allow $1 pppd_t:process { ptrace signal_perms getattr };
+	allow $1 pppd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, pppd_t)
 
 	ppp_initrc_domtrans($1)
@@ -386,7 +386,7 @@ interface(`ppp_admin',`
 	files_list_pids($1)
 	admin_pattern($1, pppd_var_run_t)
 
-	allow $1 pptp_t:process { ptrace signal_perms getattr };
+	allow $1 pptp_t:process { ptrace signal_perms };
 	ps_process_pattern($1, pptp_t)
 
 	admin_pattern($1, pptp_log_t)
diff --git a/policy/modules/services/prelude.if b/policy/modules/services/prelude.if
index 2316653..e4d8797 100644
--- a/policy/modules/services/prelude.if
+++ b/policy/modules/services/prelude.if
@@ -136,9 +136,16 @@ interface(`prelude_admin',`
 	allow $2 system_r;
 
 	admin_pattern($1, prelude_spool_t)
+
+	files_search_var_lib($1)
 	admin_pattern($1, prelude_var_lib_t)
+
+	files_search_pids($1)
 	admin_pattern($1, prelude_var_run_t)
 	admin_pattern($1, prelude_audisp_var_run_t)
+
+	files_search_tmp($1)
 	admin_pattern($1, prelude_lml_tmp_t)
+
 	admin_pattern($1, prelude_lml_var_run_t)
 ')
diff --git a/policy/modules/services/privoxy.if b/policy/modules/services/privoxy.if
index 1da26dc..c8f6cb5 100644
--- a/policy/modules/services/privoxy.if
+++ b/policy/modules/services/privoxy.if
@@ -24,7 +24,7 @@ interface(`privoxy_admin',`
 		type privoxy_initrc_exec_t;
 	')
 
-	allow $1 privoxy_t:process { ptrace signal_perms getattr };
+	allow $1 privoxy_t:process { ptrace signal_perms };
 	ps_process_pattern($1, privoxy_t)
 
 	init_labeled_script_domtrans($1, privoxy_initrc_exec_t)
diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te
index 3588ebb..9587224 100644
--- a/policy/modules/services/puppet.te
+++ b/policy/modules/services/puppet.te
@@ -179,21 +179,21 @@ read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
 allow puppetmaster_t puppet_log_t:dir { rw_dir_perms setattr };
 allow puppetmaster_t puppet_log_t:file { rw_file_perms create setattr };
 logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir })
-allow puppetmaster_t puppet_log_t:file { relabelfrom relabelto };
+allow puppetmaster_t puppet_log_t:file relabel_file_perms;
 
 manage_dirs_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t)
 manage_files_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t)
-allow puppetmaster_t puppet_var_lib_t:dir { relabelfrom relabelto };
+allow puppetmaster_t puppet_var_lib_t:dir relabel_dir_perms;
 
 setattr_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
 manage_files_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
 files_pid_filetrans(puppetmaster_t, puppet_var_run_t, { file dir })
-allow puppetmaster_t puppet_var_run_t:dir { relabelfrom relabelto };
+allow puppetmaster_t puppet_var_run_t:dir relabel_dir_perms;
 
 manage_dirs_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t)
 manage_files_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t)
 files_tmp_filetrans(puppetmaster_t, puppetmaster_tmp_t, { file dir })
-allow puppetmaster_t puppet_tmp_t:dir { relabelfrom relabelto };
+allow puppetmaster_t puppet_tmp_t:dir relabel_dir_perms;
 
 kernel_dontaudit_search_kernel_sysctl(puppetmaster_t)
 kernel_read_system_state(puppetmaster_t)
diff --git a/policy/modules/services/qpidd.if b/policy/modules/services/qpidd.if
index 039bd27..5dbca44 100644
--- a/policy/modules/services/qpidd.if
+++ b/policy/modules/services/qpidd.if
@@ -179,8 +179,8 @@ interface(`qpidd_admin',`
 		type qpidd_t;
 	')
 
-	allow $1 qpidd_t:process { ptrace signal_perms getattr };
-	read_files_pattern($1, qpidd_t, qpidd_t)
+	allow $1 qpidd_t:process { ptrace signal_perms };
+	ps_process_pattern($1, qpidd_t)
 	        
 
 	gen_require(`
diff --git a/policy/modules/services/radius.if b/policy/modules/services/radius.if
index 9a78598..8f132e7 100644
--- a/policy/modules/services/radius.if
+++ b/policy/modules/services/radius.if
@@ -38,7 +38,7 @@ interface(`radius_admin',`
 		type radiusd_initrc_exec_t;
 	')
 
-	allow $1 radiusd_t:process { ptrace signal_perms getattr };
+	allow $1 radiusd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, radiusd_t)
 
 	init_labeled_script_domtrans($1, radiusd_initrc_exec_t)
diff --git a/policy/modules/services/razor.if b/policy/modules/services/razor.if
index 9011506..13ad2fe 100644
--- a/policy/modules/services/razor.if
+++ b/policy/modules/services/razor.if
@@ -174,7 +174,6 @@ template(`razor_manage_user_home_files',`
 		type razor_home_t;
 	')
 
-	files_search_home($1)
 	userdom_search_user_home_dirs($1)
 	manage_files_pattern($1, razor_home_t, razor_home_t)
 	read_lnk_files_pattern($1, razor_home_t, razor_home_t)
diff --git a/policy/modules/services/resmgr.if b/policy/modules/services/resmgr.if
index d457736..eabdd78 100644
--- a/policy/modules/services/resmgr.if
+++ b/policy/modules/services/resmgr.if
@@ -16,7 +16,6 @@ interface(`resmgr_stream_connect',`
 		type resmgrd_var_run_t, resmgrd_t;
 	')
 
-	allow $1 resmgrd_t:unix_stream_socket connectto;
-	allow $1 resmgrd_var_run_t:sock_file { getattr write };
 	files_search_pids($1)
+	stream_connect_pattern($1, resmgrd_var_run_t, resmgrd_var_run_t, resmgrd_t)
 ')
diff --git a/policy/modules/services/rgmanager.if b/policy/modules/services/rgmanager.if
index 91dbe71..aaf7c85 100644
--- a/policy/modules/services/rgmanager.if
+++ b/policy/modules/services/rgmanager.if
@@ -118,7 +118,7 @@ interface(`rgmanager_admin',`
         ')
 
 	allow $1 rgmanager_t:process { ptrace signal_perms };
-	read_files_pattern($1, rgmanager_t, rgmanager_t)
+	ps_process_pattern($1, rgmanager_t)
 
 	init_labeled_script_domtrans($1, rgmanager_initrc_exec_t)
 	domain_system_change_exemption($1)
diff --git a/policy/modules/services/ricci.if b/policy/modules/services/ricci.if
index f326085..ecc341c 100644
--- a/policy/modules/services/ricci.if
+++ b/policy/modules/services/ricci.if
@@ -108,8 +108,7 @@ interface(`ricci_stream_connect_modclusterd',`
 	')
 
 	files_search_pids($1)
-	allow $1 ricci_modcluster_var_run_t:sock_file write;
-	allow $1 ricci_modclusterd_t:unix_stream_socket connectto;
+	stream_connect_pattern($1, ricci_modcluster_var_run_t, ricci_modcluster_var_run_t, ricci_modclusterd_t)
 ')
 
 ########################################
diff --git a/policy/modules/services/rpc.if b/policy/modules/services/rpc.if
index b0eac5b..b65be0c 100644
--- a/policy/modules/services/rpc.if
+++ b/policy/modules/services/rpc.if
@@ -434,5 +434,5 @@ interface(`rpc_manage_nfs_state_data',`
 
 	files_search_var_lib($1)
 	manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
-	allow $1 var_lib_nfs_t:file { relabelfrom relabelto };
+	allow $1 var_lib_nfs_t:file relabel_file_perms;
 ')
diff --git a/policy/modules/services/rpcbind.if b/policy/modules/services/rpcbind.if
index ca97ead..5a4d69d 100644
--- a/policy/modules/services/rpcbind.if
+++ b/policy/modules/services/rpcbind.if
@@ -34,8 +34,7 @@ interface(`rpcbind_stream_connect',`
 	')
 
 	files_search_pids($1)
-	allow $1 rpcbind_var_run_t:sock_file write;
-	allow $1 rpcbind_t:unix_stream_socket connectto;
+	stream_connect_pattern($1, rpcbind_var_run_t, rpcbind_var_run_t, rpcbind_t)
 ')
 
 ########################################
@@ -145,4 +144,10 @@ interface(`rpcbind_admin',`
 	domain_system_change_exemption($1)
 	role_transition $2 rpcbind_initrc_exec_t system_r;
 	allow $2 system_r;
+
+	files_search_var_lib($1)
+	admin_pattern($1, rpcbind_var_lib_t)
+
+	files_search_pids($1)
+	admin_pattern($1, rpcbind_var_run_t)
 ')
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
index 91a1d0a..fec701f 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -238,8 +238,8 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
 manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
 manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
 manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type)
-allow virtd_t virt_image_type:file { relabelfrom relabelto };
-allow virtd_t virt_image_type:blk_file { relabelfrom relabelto };
+allow virtd_t virt_image_type:file relabel_file_perms;
+allow virtd_t virt_image_type:blk_file relabel_blk_file_perms;
 
 manage_dirs_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
 manage_files_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index bd3185e..5819211 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -741,7 +741,7 @@ interface(`auth_relabel_shadow',`
 	')
 
 	files_search_etc($1)
-	allow $1 shadow_t:file { relabelfrom relabelto };
+	allow $1 shadow_t:file relabel_file_perms;
 	typeattribute $1 can_relabelto_shadow_passwords;
 ')
 
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index aa09d1c..453377e 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -1033,8 +1033,8 @@ interface(`logging_admin_syslog',`
 	manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
 
 	logging_manage_all_logs($1)
-	allow $1 logfile:dir  { relabelfrom relabelto };
-	allow $1 logfile:file  { relabelfrom relabelto };
+	allow $1 logfile:dir relabel_dir_perms;
+	allow $1 logfile:file relabel_file_perms;
 
 	init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
 	domain_system_change_exemption($1)
diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
index 59bc26b..5b277ea 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -89,8 +89,7 @@ interface(`udev_read_state',`
 	')
 
 	kernel_search_proc($1)
-	allow $1 udev_t:file read_file_perms;
-	allow $1 udev_t:lnk_file read_lnk_file_perms;
+	ps_process_pattern($1, udev_t)
 ')
 
 ########################################
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 45882b2..b4d758b 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1781,7 +1781,7 @@ interface(`userdom_relabel_user_home_files',`
 		type user_home_t;
 	')
 
-	allow $1 user_home_t:file { relabelto relabelfrom };
+	allow $1 user_home_t:file relabel_file_perms;
 ')
 
 ########################################
diff --git a/policy/modules/system/xen.if b/policy/modules/system/xen.if
index 4af4e6b..4aa96c6 100644
--- a/policy/modules/system/xen.if
+++ b/policy/modules/system/xen.if
@@ -251,7 +251,7 @@ interface(`xen_domtrans_xm',`
 #
 interface(`xen_stream_connect_xm',`
 	gen_require(`
-		type xm_t;
+		type xm_t, xenstored_var_run_t;
 	')
 
 	files_search_pids($1)