From 59c03405487678f6de02969b4ed3a5e225a36516 Mon Sep 17 00:00:00 2001
From: Dominick Grift <domg472@gmail.com>
Date: Sep 16 2010 10:18:33 +0000
Subject: Use permission sets where possible.


Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Signed-off-by: Dominick Grift <domg472@gmail.com>

Use permission sets where possible.

Signed-off-by: Dominick Grift <domg472@gmail.com>

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

---

diff --git a/policy/modules/services/sendmail.if b/policy/modules/services/sendmail.if
index 1e9cb00..0c97e36 100644
--- a/policy/modules/services/sendmail.if
+++ b/policy/modules/services/sendmail.if
@@ -166,7 +166,7 @@ interface(`sendmail_rw_unix_stream_sockets',`
 		type sendmail_t;
 	')
 
-	allow $1 sendmail_t:unix_stream_socket { getattr read write ioctl };
+	allow $1 sendmail_t:unix_stream_socket rw_socket_perms;
 ')
 
 ########################################
@@ -185,7 +185,7 @@ interface(`sendmail_dontaudit_rw_unix_stream_sockets',`
 		type sendmail_t;
 	')
 
-	dontaudit $1 sendmail_t:unix_stream_socket { getattr read write ioctl };
+	dontaudit $1 sendmail_t:unix_stream_socket rw_socket_perms;
 ')
 
 ########################################
diff --git a/policy/modules/services/snmp.if b/policy/modules/services/snmp.if
index 699c2ab..64e9fb1 100644
--- a/policy/modules/services/snmp.if
+++ b/policy/modules/services/snmp.if
@@ -84,7 +84,7 @@ interface(`snmp_dontaudit_read_snmp_var_lib_files',`
 	')
 	dontaudit $1 snmpd_var_lib_t:dir list_dir_perms;
 	dontaudit $1 snmpd_var_lib_t:file read_file_perms;
-	dontaudit $1 snmpd_var_lib_t:lnk_file { getattr read };
+	dontaudit $1 snmpd_var_lib_t:lnk_file read_lnk_file_perms;
 ')
 
 ########################################
diff --git a/policy/modules/services/spamassassin.if b/policy/modules/services/spamassassin.if
index 56950e6..f906f43 100644
--- a/policy/modules/services/spamassassin.if
+++ b/policy/modules/services/spamassassin.if
@@ -270,7 +270,7 @@ interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',`
 		type spamd_tmp_t;
 	')
 
-	dontaudit $1 spamd_tmp_t:sock_file getattr;
+	dontaudit $1 spamd_tmp_t:sock_file getattr_sock_file_perms;
 ')
 
 ########################################
diff --git a/policy/modules/services/squid.if b/policy/modules/services/squid.if
index fb9774a..dc4f590 100644
--- a/policy/modules/services/squid.if
+++ b/policy/modules/services/squid.if
@@ -71,7 +71,7 @@ interface(`squid_rw_stream_sockets',`
 		type squid_t;
 	')
 
-	allow $1 squid_t:unix_stream_socket { getattr read write };
+	allow $1 squid_t:unix_stream_socket rw_socket_perms;
 ')
 
 ########################################
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index d3b2b55..bb8c7d1 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -189,7 +189,7 @@ template(`ssh_server_template', `
 	allow $1_t self:unix_stream_socket create_stream_socket_perms;
 	allow $1_t self:shm create_shm_perms;
 
-	allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom };
+	allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms getattr_chr_file_perms relabelfrom };
 	term_create_pty($1_t, $1_devpts_t)
 
 	manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
@@ -485,7 +485,7 @@ interface(`ssh_read_pipes',`
 		type sshd_t;
 	')
 
-	allow $1 sshd_t:fifo_file { getattr read };
+	allow $1 sshd_t:fifo_file read_fifo_file_perms;
 ')
 ########################################
 ## <summary>
@@ -502,7 +502,7 @@ interface(`ssh_rw_pipes',`
 		type sshd_t;
 	')
 
-	allow $1 sshd_t:fifo_file { write read getattr ioctl };
+	allow $1 sshd_t:fifo_file rw_inherited_fifo_file_perms;
 ')
 
 ########################################
@@ -645,7 +645,7 @@ interface(`ssh_setattr_key_files',`
 		type sshd_key_t;
 	')
 
-	allow $1 sshd_key_t:file setattr;
+	allow $1 sshd_key_t:file setattr_file_perms;
 	files_search_pids($1)
 ')
 
@@ -722,7 +722,7 @@ interface(`ssh_dontaudit_read_server_keys',`
 		type sshd_key_t;
 	')
 
-	dontaudit $1 sshd_key_t:file { getattr read };
+	dontaudit $1 sshd_key_t:file read_file_perms;
 ')
 
 ######################################
diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if
index 9a3d24f..1840faa 100644
--- a/policy/modules/services/virt.if
+++ b/policy/modules/services/virt.if
@@ -38,7 +38,7 @@ template(`virt_domain_template',`
 	dev_node($1_image_t)
 	dev_associate_sysfs($1_image_t)
 
-	allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr };
+	allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
 	term_create_pty($1_t, $1_devpts_t)
 
 	manage_dirs_pattern($1_t, $1_image_t, $1_image_t)
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index f6cb1ad..54f5506 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -73,11 +73,11 @@ interface(`xserver_restricted_role',`
 
 	# for when /tmp/.X11-unix is created by the system
 	allow $2 xdm_t:fd use;
-	allow $2 xdm_t:fifo_file { getattr read write ioctl };
+	allow $2 xdm_t:fifo_file rw_inherited_fifo_file_perms;
 	allow $2 xdm_tmp_t:dir search_dir_perms;
-	allow $2 xdm_tmp_t:sock_file { read write };
+	allow $2 xdm_tmp_t:sock_file rw_inherited_sock_file_perms;
 	dontaudit $2 xdm_t:tcp_socket { read write };
-	dontaudit $2 xdm_tmp_t:dir setattr;
+	dontaudit $2 xdm_tmp_t:dir setattr_dir_perms;
 
 	allow $2 xdm_t:dbus send_msg;
 	allow xdm_t  $2:dbus send_msg;
@@ -87,7 +87,7 @@ interface(`xserver_restricted_role',`
 	allow $2 xserver_tmpfs_t:file read_file_perms;
 
 	# Read /tmp/.X0-lock
-	allow $2 xserver_tmp_t:file { getattr read };
+	allow $2 xserver_tmp_t:file read_inherited_file_perms;
 
 	dev_rw_xserver_misc($2)
 	dev_rw_power_management($2)
@@ -489,9 +489,9 @@ template(`xserver_user_x_domain_template',`
 
 	# for when /tmp/.X11-unix is created by the system
 	allow $2 xdm_t:fd use;
-	allow $2 xdm_t:fifo_file { getattr read write ioctl };
+	allow $2 xdm_t:fifo_file rw_inherited_fifo_file_perms;
 	allow $2 xdm_tmp_t:dir search_dir_perms;
-	allow $2 xdm_tmp_t:sock_file { read write };
+	allow $2 xdm_tmp_t:sock_file rw_inherited_sock_file_perms;
 	dontaudit $2 xdm_t:tcp_socket { read write };
 
 	# Allow connections to X server.
@@ -675,7 +675,7 @@ interface(`xserver_setattr_console_pipes',`
 		type xconsole_device_t;
 	')
 
-	allow $1 xconsole_device_t:fifo_file setattr;
+	allow $1 xconsole_device_t:fifo_file setattr_fifo_file_perms;
 ')
 
 ########################################
@@ -748,7 +748,7 @@ interface(`xserver_rw_xdm_pipes',`
 		type xdm_t;
 	')
 
-	allow $1 xdm_t:fifo_file { getattr read write };
+	allow $1 xdm_t:fifo_file rw_inherited_fifo_file_perms;
 ')
 
 ########################################
@@ -827,7 +827,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
 		type xdm_tmp_t;
 	')
 
-	allow $1 xdm_tmp_t:dir setattr;
+	allow $1 xdm_tmp_t:dir setattr_dir_perms;
 ')
 
 ########################################
@@ -959,7 +959,7 @@ interface(`xserver_getattr_log',`
 	')
 
 	logging_search_logs($1)
-	allow $1 xserver_log_t:file getattr;
+	allow $1 xserver_log_t:file getattr_file_perms;
 ')
 
 ########################################
@@ -1152,7 +1152,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
 		type xdm_tmp_t;
 	')
 
-	dontaudit $1 xdm_tmp_t:sock_file getattr;
+	dontaudit $1 xdm_tmp_t:sock_file getattr_sock_file_perms;
 ')
 
 ########################################