From 69d1431276125ac650ed7139869be8ad322b3d81 Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Sep 21 2010 11:50:00 +0000 Subject: Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. --- diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if index 846518b..f824074 100644 --- a/policy/modules/services/postgresql.if +++ b/policy/modules/services/postgresql.if @@ -195,7 +195,7 @@ interface(`postgresql_search_db',` type postgresql_db_t; ') - allow $1 postgresql_db_t:dir search; + allow $1 postgresql_db_t:dir search_dir_perms; ') ######################################## @@ -214,7 +214,7 @@ interface(`postgresql_manage_db',` allow $1 postgresql_db_t:dir rw_dir_perms; allow $1 postgresql_db_t:file rw_file_perms; - allow $1 postgresql_db_t:lnk_file { getattr read }; + allow $1 postgresql_db_t:lnk_file read_lnk_file_perms; ') ######################################## diff --git a/policy/modules/services/razor.if b/policy/modules/services/razor.if index 5850449..6be9012 100644 --- a/policy/modules/services/razor.if +++ b/policy/modules/services/razor.if @@ -47,7 +47,7 @@ template(`razor_common_domain_template',` # Read system config file allow $1_t razor_etc_t:dir list_dir_perms; allow $1_t razor_etc_t:file read_file_perms; - allow $1_t razor_etc_t:lnk_file { getattr read }; + allow $1_t razor_etc_t:lnk_file read_lnk_file_perms; manage_dirs_pattern($1_t, razor_log_t, razor_log_t) manage_files_pattern($1_t, razor_log_t, razor_log_t) diff --git a/policy/modules/services/rgmanager.if b/policy/modules/services/rgmanager.if index c8b7eec..9c2c963 100644 --- a/policy/modules/services/rgmanager.if +++ b/policy/modules/services/rgmanager.if @@ -91,7 +91,7 @@ interface(`rgmanager_rw_semaphores',` type rgmanager_t; ') - allow $1 rgmanager_t:sem { unix_read unix_write associate read write }; + allow $1 rgmanager_t:sem rw_sem_perms; ') ###################################### diff --git a/policy/modules/services/ricci.if b/policy/modules/services/ricci.if index 53e3ac1..3128dd8 100644 --- a/policy/modules/services/ricci.if +++ b/policy/modules/services/ricci.if @@ -89,7 +89,7 @@ interface(`ricci_dontaudit_rw_modcluster_pipes',` type ricci_modcluster_t; ') - dontaudit $1 ricci_modcluster_t:fifo_file { read write }; + dontaudit $1 ricci_modcluster_t:fifo_file rw_inherited_fifo_file_perms; ') ######################################## diff --git a/policy/modules/services/rpc.if b/policy/modules/services/rpc.if index a324444..28e7576 100644 --- a/policy/modules/services/rpc.if +++ b/policy/modules/services/rpc.if @@ -156,7 +156,7 @@ interface(`rpc_dontaudit_getattr_exports',` type exports_t; ') - dontaudit $1 exports_t:file getattr; + dontaudit $1 exports_t:file getattr_file_perms; ') ######################################## @@ -192,7 +192,7 @@ interface(`rpc_write_exports',` type exports_t; ') - allow $1 exports_t:file write; + allow $1 exports_t:file write_file_perms; ') ######################################## @@ -306,7 +306,7 @@ interface(`rpc_read_nfs_content',` allow $1 { nfsd_ro_t nfsd_rw_t }:dir list_dir_perms; allow $1 { nfsd_ro_t nfsd_rw_t }:file read_file_perms; - allow $1 { nfsd_ro_t nfsd_rw_t }:lnk_file { getattr read }; + allow $1 { nfsd_ro_t nfsd_rw_t }:lnk_file read_lnk_file_perms; ') ######################################## @@ -399,7 +399,7 @@ interface(`rpc_search_nfs_state_data',` ') files_search_var_lib($1) - allow $1 var_lib_nfs_t:dir search; + allow $1 var_lib_nfs_t:dir search_dir_perms; ') ######################################## diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if index cd2798a..1cc3a1e 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -47,7 +47,7 @@ interface(`xserver_restricted_role',` manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t) stream_connect_pattern($2, xserver_tmp_t, xserver_tmp_t, xserver_t) - allow $2 xserver_tmp_t:sock_file unlink; + allow $2 xserver_tmp_t:sock_file delete_sock_file_perms; files_search_tmp($2) # Communicate via System V shared memory. @@ -271,7 +271,7 @@ interface(`xserver_non_drawing_client',` allow $1 self:x_gc { create setattr }; - allow $1 xdm_var_run_t:dir search; + allow $1 xdm_var_run_t:dir search_dir_perms; allow $1 xserver_t:unix_stream_socket connectto; allow $1 xextension_t:x_extension { query use }; @@ -313,7 +313,7 @@ interface(`xserver_user_client',` # for when /tmp/.X11-unix is created by the system allow $1 xdm_t:fd use; allow $1 xdm_t:fifo_file rw_inherited_fifo_file_perms; - allow $1 xdm_tmp_t:dir search; + allow $1 xdm_tmp_t:dir search_dir_perms; allow $1 xdm_tmp_t:sock_file { read write }; dontaudit $1 xdm_t:tcp_socket { read write };