diff --git a/Changelog b/Changelog
index 773ad92..8a78a19 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- Enable open permission checks policy capability.
- Remove hierarchy from portage module as it is not a good example of
hieararchy.
- Remove enableaudit target from modular build as semodule -DB supplants it.
diff --git a/policy/modules/admin/acct.te b/policy/modules/admin/acct.te
index 6d084c9..1e6ec2d 100644
--- a/policy/modules/admin/acct.te
+++ b/policy/modules/admin/acct.te
@@ -23,7 +23,7 @@ allow acct_t self:capability { sys_pacct chown fsetid };
# not sure why we need kill, the command "last" is reported as using it
dontaudit acct_t self:capability { kill sys_tty_config };
-allow acct_t self:fifo_file { read write getattr };
+allow acct_t self:fifo_file rw_fifo_file_perms;
allow acct_t self:process signal_perms;
manage_files_pattern(acct_t, acct_data_t, acct_data_t)
diff --git a/policy/modules/admin/amanda.te b/policy/modules/admin/amanda.te
index b6512fe..4b5209c 100644
--- a/policy/modules/admin/amanda.te
+++ b/policy/modules/admin/amanda.te
@@ -76,10 +76,10 @@ allow amanda_t self:tcp_socket create_stream_socket_perms;
allow amanda_t self:udp_socket create_socket_perms;
# access to amanda_amandates_t
-allow amanda_t amanda_amandates_t:file { getattr lock read write };
+allow amanda_t amanda_amandates_t:file rw_file_perms;
# configuration files -> read only
-allow amanda_t amanda_config_t:file { getattr read };
+allow amanda_t amanda_config_t:file read_file_perms;
# access to amandas data structure
manage_dirs_pattern(amanda_t, amanda_data_t, amanda_data_t)
@@ -87,7 +87,7 @@ manage_files_pattern(amanda_t, amanda_data_t, amanda_data_t)
filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir })
# access to amanda_dumpdates_t
-allow amanda_t amanda_dumpdates_t:file { getattr lock read write };
+allow amanda_t amanda_dumpdates_t:file rw_file_perms;
can_exec(amanda_t, amanda_exec_t)
can_exec(amanda_t, amanda_inetd_exec_t)
@@ -172,7 +172,7 @@ optional_policy(`
allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_override };
allow amanda_recover_t self:process { sigkill sigstop signal };
-allow amanda_recover_t self:fifo_file { getattr ioctl read write };
+allow amanda_recover_t self:fifo_file rw_fifo_file_perms;
allow amanda_recover_t self:unix_stream_socket { connect create read write };
allow amanda_recover_t self:tcp_socket create_stream_socket_perms;
allow amanda_recover_t self:udp_socket create_socket_perms;
diff --git a/policy/modules/admin/dpkg.te b/policy/modules/admin/dpkg.te
index 456fca9..07e58a5 100644
--- a/policy/modules/admin/dpkg.te
+++ b/policy/modules/admin/dpkg.te
@@ -171,7 +171,7 @@ userdom_use_unpriv_users_fds(dpkg_t)
# transition to dpkg script:
dpkg_domtrans_script(dpkg_t)
# since the scripts aren't labeled correctly yet...
-allow dpkg_t dpkg_var_lib_t:file execute;
+allow dpkg_t dpkg_var_lib_t:file mmap_file_perms;
optional_policy(`
apt_use_ptys(dpkg_t)
diff --git a/policy/modules/admin/firstboot.te b/policy/modules/admin/firstboot.te
index 2d22199..cadd349 100644
--- a/policy/modules/admin/firstboot.te
+++ b/policy/modules/admin/firstboot.te
@@ -27,13 +27,12 @@ files_config_file(firstboot_etc_t)
allow firstboot_t self:capability { dac_override setgid };
allow firstboot_t self:process setfscreate;
-allow firstboot_t self:file { read write };
-allow firstboot_t self:fifo_file { getattr read write };
+allow firstboot_t self:fifo_file rw_fifo_file_perms;
allow firstboot_t self:tcp_socket create_stream_socket_perms;
allow firstboot_t self:unix_stream_socket { connect create };
allow firstboot_t self:passwd rootok;
-allow firstboot_t firstboot_etc_t:file { getattr read };
+allow firstboot_t firstboot_etc_t:file read_file_perms;
kernel_read_system_state(firstboot_t)
kernel_read_kernel_sysctls(firstboot_t)
diff --git a/policy/modules/admin/mrtg.te b/policy/modules/admin/mrtg.te
index 962f752..7cc90c2 100644
--- a/policy/modules/admin/mrtg.te
+++ b/policy/modules/admin/mrtg.te
@@ -33,7 +33,7 @@ files_pid_file(mrtg_var_run_t)
allow mrtg_t self:capability { setgid setuid chown };
dontaudit mrtg_t self:capability sys_tty_config;
allow mrtg_t self:process signal_perms;
-allow mrtg_t self:fifo_file { getattr read write ioctl };
+allow mrtg_t self:fifo_file rw_fifo_file_perms;
allow mrtg_t self:unix_stream_socket create_socket_perms;
allow mrtg_t self:tcp_socket create_socket_perms;
allow mrtg_t self:udp_socket create_socket_perms;
diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
index d2a092e..4f8ebcd 100644
--- a/policy/modules/admin/portage.te
+++ b/policy/modules/admin/portage.te
@@ -73,7 +73,7 @@ read_files_pattern(gcc_config_t, portage_conf_t, portage_conf_t)
allow gcc_config_t portage_ebuild_t:dir list_dir_perms;
read_files_pattern(gcc_config_t, portage_ebuild_t, portage_ebuild_t)
-allow gcc_config_t portage_exec_t:file { execute getattr };
+allow gcc_config_t portage_exec_t:file mmap_file_perms;
kernel_read_system_state(gcc_config_t)
kernel_read_kernel_sysctls(gcc_config_t)
diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
index ce325ba..fc30eb5 100644
--- a/policy/modules/admin/rpm.te
+++ b/policy/modules/admin/rpm.te
@@ -68,8 +68,6 @@ allow rpm_t self:shm create_shm_perms;
allow rpm_t self:sem create_sem_perms;
allow rpm_t self:msgq create_msgq_perms;
allow rpm_t self:msg { send receive };
-allow rpm_t self:dir search;
-allow rpm_t self:file rw_file_perms;;
allow rpm_t rpm_log_t:file manage_file_perms;
logging_log_filetrans(rpm_t, rpm_log_t, file)
diff --git a/policy/modules/admin/updfstab.te b/policy/modules/admin/updfstab.te
index ccb521f..d23ce81 100644
--- a/policy/modules/admin/updfstab.te
+++ b/policy/modules/admin/updfstab.te
@@ -18,7 +18,7 @@ init_system_domain(updfstab_t, updfstab_exec_t)
allow updfstab_t self:capability dac_override;
dontaudit updfstab_t self:capability { sys_admin sys_tty_config };
allow updfstab_t self:process signal_perms;
-allow updfstab_t self:fifo_file { getattr read write ioctl };
+allow updfstab_t self:fifo_file rw_fifo_file_perms;
kernel_use_fds(updfstab_t)
kernel_read_kernel_sysctls(updfstab_t)
diff --git a/policy/modules/apps/awstats.te b/policy/modules/apps/awstats.te
index d59f8be..43af46d 100644
--- a/policy/modules/apps/awstats.te
+++ b/policy/modules/apps/awstats.te
@@ -71,7 +71,7 @@ optional_policy(`
# awstats cgi script policy
#
-allow httpd_awstats_script_t awstats_var_lib_t:dir read;
+allow httpd_awstats_script_t awstats_var_lib_t:dir list_dir_perms;
read_files_pattern(httpd_awstats_script_t, awstats_var_lib_t, awstats_var_lib_t)
files_search_var_lib(httpd_awstats_script_t)
diff --git a/policy/modules/apps/calamaris.te b/policy/modules/apps/calamaris.te
index b739074..6096881 100644
--- a/policy/modules/apps/calamaris.te
+++ b/policy/modules/apps/calamaris.te
@@ -24,7 +24,7 @@ logging_log_file(calamaris_log_t)
# for when squid has a different UID
allow calamaris_t self:capability dac_override;
allow calamaris_t self:process { fork signal_perms setsched };
-allow calamaris_t self:fifo_file { getattr read write ioctl };
+allow calamaris_t self:fifo_file rw_fifo_file_perms;
allow calamaris_t self:unix_stream_socket create_stream_socket_perms;
allow calamaris_t self:tcp_socket create_stream_socket_perms;
allow calamaris_t self:udp_socket create_socket_perms;
diff --git a/policy/modules/apps/webalizer.te b/policy/modules/apps/webalizer.te
index 12ec66e..8d02fca 100644
--- a/policy/modules/apps/webalizer.te
+++ b/policy/modules/apps/webalizer.te
@@ -48,7 +48,7 @@ allow webalizer_t self:tcp_socket connected_stream_socket_perms;
allow webalizer_t self:udp_socket { connect connected_socket_perms };
allow webalizer_t self:netlink_route_socket r_netlink_socket_perms;
-allow webalizer_t webalizer_etc_t:file { getattr read };
+allow webalizer_t webalizer_etc_t:file read_file_perms;
manage_dirs_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t)
manage_files_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t)
diff --git a/policy/modules/apps/yam.te b/policy/modules/apps/yam.te
index 70a5ab8..bf2bf54 100644
--- a/policy/modules/apps/yam.te
+++ b/policy/modules/apps/yam.te
@@ -42,7 +42,7 @@ manage_dirs_pattern(yam_t, yam_content_t, yam_content_t)
manage_files_pattern(yam_t, yam_content_t, yam_content_t)
manage_lnk_files_pattern(yam_t, yam_content_t, yam_content_t)
-allow yam_t yam_etc_t:file { getattr read };
+allow yam_t yam_etc_t:file read_file_perms;
files_search_etc(yam_t)
manage_files_pattern(yam_t, yam_tmp_t, yam_tmp_t)
diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
index 526df99..8fcf126 100644
--- a/policy/modules/kernel/domain.if
+++ b/policy/modules/kernel/domain.if
@@ -628,7 +628,7 @@ interface(`domain_read_confined_domains_state',`
read_lnk_files_pattern($1, { domain -unconfined_domain_type }, { domain -unconfined_domain_type })
dontaudit $1 unconfined_domain_type:dir search_dir_perms;
- dontaudit $1 unconfined_domain_type:file { getattr read };
+ dontaudit $1 unconfined_domain_type:file read_file_perms;
')
########################################
@@ -743,12 +743,12 @@ interface(`domain_dontaudit_read_all_domains_state',`
')
dontaudit $1 domain:dir list_dir_perms;
- dontaudit $1 domain:lnk_file read_file_perms;
+ dontaudit $1 domain:lnk_file read_lnk_file_perms;
dontaudit $1 domain:file read_file_perms;
# cjp: these should be removed:
- dontaudit $1 domain:sock_file read_file_perms;
- dontaudit $1 domain:fifo_file read_file_perms;
+ dontaudit $1 domain:sock_file read_sock_file_perms;
+ dontaudit $1 domain:fifo_file read_fifo_file_perms;
')
########################################
diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te
index a4c47e7..32d4c26 100644
--- a/policy/modules/kernel/selinux.te
+++ b/policy/modules/kernel/selinux.te
@@ -33,8 +33,8 @@ neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security sets
#
# use SELinuxfs
-allow selinux_unconfined_type security_t:dir { getattr search read };
-allow selinux_unconfined_type security_t:file { getattr read write };
+allow selinux_unconfined_type security_t:dir list_dir_perms;
+allow selinux_unconfined_type security_t:file rw_file_perms;
# Access the security API.
allow selinux_unconfined_type security_t:security ~{ load_policy setenforce setbool };
diff --git a/policy/modules/services/afs.te b/policy/modules/services/afs.te
index d8b0334..b6c15b1 100644
--- a/policy/modules/services/afs.te
+++ b/policy/modules/services/afs.te
@@ -70,7 +70,7 @@ can_exec(afs_bosserver_t,afs_bosserver_exec_t)
manage_dirs_pattern(afs_bosserver_t, afs_config_t, afs_config_t)
manage_files_pattern(afs_bosserver_t, afs_config_t, afs_config_t)
-allow afs_bosserver_t afs_dbdir_t:dir { search read getattr };
+allow afs_bosserver_t afs_dbdir_t:dir list_dir_perms;
allow afs_bosserver_t afs_fsserver_t:process signal_perms;
domtrans_pattern(afs_bosserver_t, afs_fsserver_exec_t, afs_fsserver_t)
diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
index 630b5e3..6bb849d 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@@ -790,7 +790,7 @@ interface(`apache_exec_modules',`
')
allow $1 httpd_modules_t:dir list_dir_perms;
- allow $1 httpd_modules_t:lnk_file read_file_perms;
+ allow $1 httpd_modules_t:lnk_file read_lnk_file_perms;
can_exec($1,httpd_modules_t)
')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
index bb7d2c9..490683f 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -258,7 +258,7 @@ manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
manage_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
-allow httpd_t httpd_suexec_exec_t:file { getattr read };
+allow httpd_t httpd_suexec_exec_t:file read_file_perms;
allow httpd_t httpd_sys_content_t:dir list_dir_perms;
read_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
@@ -509,9 +509,9 @@ optional_policy(`
domtrans_pattern(httpd_t, httpd_helper_exec_t, httpd_helper_t)
-allow httpd_helper_t httpd_config_t:file { getattr read };
+allow httpd_helper_t httpd_config_t:file read_file_perms;
-allow httpd_helper_t httpd_log_t:file append;
+allow httpd_helper_t httpd_log_t:file append_file_perms;
libs_use_ld_so(httpd_helper_t)
libs_use_shared_libs(httpd_helper_t)
@@ -677,7 +677,7 @@ allow httpd_sys_script_t httpd_t:tcp_socket { read write };
dontaudit httpd_sys_script_t httpd_config_t:dir search;
-allow httpd_sys_script_t httpd_squirrelmail_t:file { append read };
+allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms };
allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
@@ -692,7 +692,7 @@ files_search_spool(httpd_sys_script_t)
apache_domtrans_rotatelogs(httpd_sys_script_t)
ifdef(`distro_redhat',`
- allow httpd_sys_script_t httpd_log_t:file { getattr append };
+ allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
tunable_policy(`httpd_enable_homedirs',`
diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te
index 3869e4f..6703a6b 100644
--- a/policy/modules/services/avahi.te
+++ b/policy/modules/services/avahi.te
@@ -21,7 +21,7 @@ files_pid_file(avahi_var_run_t)
allow avahi_t self:capability { dac_override setgid chown fowner kill setuid sys_chroot };
dontaudit avahi_t self:capability sys_tty_config;
allow avahi_t self:process { setrlimit signal_perms setcap };
-allow avahi_t self:fifo_file { read write };
+allow avahi_t self:fifo_file rw_fifo_file_perms;
allow avahi_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow avahi_t self:unix_dgram_socket create_socket_perms;
allow avahi_t self:tcp_socket create_stream_socket_perms;
diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te
index ee0ae50..57ab115 100644
--- a/policy/modules/services/bind.te
+++ b/policy/modules/services/bind.te
@@ -70,7 +70,7 @@ allow named_t self:unix_dgram_socket create_socket_perms;
allow named_t self:tcp_socket create_stream_socket_perms;
allow named_t self:udp_socket create_socket_perms;
-allow named_t dnssec_t:file { getattr read };
+allow named_t dnssec_t:file read_file_perms;
# read configuration
allow named_t named_conf_t:dir list_dir_perms;
@@ -201,22 +201,20 @@ optional_policy(`
# cjp: why net_admin?!
allow ndc_t self:capability { dac_override net_admin };
allow ndc_t self:process { fork signal_perms };
-allow ndc_t self:fifo_file { read write getattr ioctl };
+allow ndc_t self:fifo_file rw_fifo_file_perms;
allow ndc_t self:unix_stream_socket { connect create_stream_socket_perms };
allow ndc_t self:tcp_socket create_socket_perms;
allow ndc_t self:netlink_route_socket r_netlink_socket_perms;
-allow ndc_t dnssec_t:file { getattr read };
+allow ndc_t dnssec_t:file read_file_perms;
allow ndc_t dnssec_t:lnk_file { getattr read };
-allow ndc_t named_t:unix_stream_socket connectto;
+stream_connect_pattern(ndc_t, named_var_run_t, named_var_run_t, named_t)
-allow ndc_t named_conf_t:file { getattr read };
+allow ndc_t named_conf_t:file read_file_perms;
allow ndc_t named_conf_t:lnk_file { getattr read };
-allow ndc_t named_var_run_t:sock_file rw_file_perms;
-
-allow ndc_t named_zone_t:dir search;
+allow ndc_t named_zone_t:dir search_dir_perms;
kernel_read_kernel_sysctls(ndc_t)
diff --git a/policy/modules/services/ccs.te b/policy/modules/services/ccs.te
index 0dbde41..670a60d 100644
--- a/policy/modules/services/ccs.te
+++ b/policy/modules/services/ccs.te
@@ -38,7 +38,7 @@ files_pid_file(ccs_var_run_t)
allow ccs_t self:capability { ipc_lock sys_nice sys_resource sys_admin };
allow ccs_t self:process { signal setrlimit setsched };
dontaudit ccs_t self:process ptrace;
-allow ccs_t self:fifo_file { read write };
+allow ccs_t self:fifo_file rw_fifo_file_perms;
allow ccs_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow ccs_t self:unix_dgram_socket create_socket_perms;
allow ccs_t self:netlink_route_socket r_netlink_socket_perms;
diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te
index 357ba46..22d152d 100644
--- a/policy/modules/services/cups.te
+++ b/policy/modules/services/cups.te
@@ -123,7 +123,7 @@ files_pid_filetrans(cupsd_t, cupsd_var_run_t, file)
read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t)
-allow cupsd_t hplip_var_run_t:file { read getattr };
+allow cupsd_t hplip_var_run_t:file read_file_perms;
stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
allow cupsd_t ptal_var_run_t : sock_file setattr;
@@ -307,7 +307,7 @@ allow cupsd_config_t cupsd_log_t:file rw_file_perms;
allow cupsd_config_t cupsd_tmp_t:file manage_file_perms;
files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { file dir })
-allow cupsd_config_t cupsd_var_run_t:file { getattr read };
+allow cupsd_config_t cupsd_var_run_t:file read_file_perms;
manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, file)
diff --git a/policy/modules/services/dante.te b/policy/modules/services/dante.te
index e59c8ac..d2a6899 100644
--- a/policy/modules/services/dante.te
+++ b/policy/modules/services/dante.te
@@ -24,7 +24,7 @@ files_pid_file(dante_var_run_t)
allow dante_t self:capability { setuid setgid };
dontaudit dante_t self:capability sys_tty_config;
allow dante_t self:process signal_perms;
-allow dante_t self:fifo_file { read write };
+allow dante_t self:fifo_file rw_fifo_file_perms;
allow dante_t self:tcp_socket create_stream_socket_perms;
allow dante_t self:udp_socket create_socket_perms;
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index 2e8dc2e..3054bce 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -36,7 +36,7 @@ files_pid_file(system_dbusd_var_run_t)
allow system_dbusd_t self:capability { dac_override setgid setpcap setuid };
dontaudit system_dbusd_t self:capability sys_tty_config;
allow system_dbusd_t self:process { getattr signal_perms setcap };
-allow system_dbusd_t self:fifo_file { read write };
+allow system_dbusd_t self:fifo_file rw_fifo_file_perms;
allow system_dbusd_t self:dbus { send_msg acquire_svc };
allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto };
allow system_dbusd_t self:unix_dgram_socket create_socket_perms;
diff --git a/policy/modules/services/dhcp.te b/policy/modules/services/dhcp.te
index d8b0e5a..7f7729e 100644
--- a/policy/modules/services/dhcp.te
+++ b/policy/modules/services/dhcp.te
@@ -27,7 +27,7 @@ files_pid_file(dhcpd_var_run_t)
allow dhcpd_t self:capability net_raw;
dontaudit dhcpd_t self:capability { net_admin sys_tty_config };
allow dhcpd_t self:process signal_perms;
-allow dhcpd_t self:fifo_file { read write getattr };
+allow dhcpd_t self:fifo_file rw_fifo_file_perms;
allow dhcpd_t self:unix_dgram_socket create_socket_perms;
allow dhcpd_t self:unix_stream_socket create_socket_perms;
allow dhcpd_t self:netlink_route_socket r_netlink_socket_perms;
diff --git a/policy/modules/services/distcc.te b/policy/modules/services/distcc.te
index 610d083..10b412c 100644
--- a/policy/modules/services/distcc.te
+++ b/policy/modules/services/distcc.te
@@ -27,7 +27,7 @@ files_pid_file(distccd_var_run_t)
allow distccd_t self:capability { setgid setuid };
dontaudit distccd_t self:capability sys_tty_config;
allow distccd_t self:process { signal_perms setsched };
-allow distccd_t self:fifo_file { read write getattr };
+allow distccd_t self:fifo_file rw_fifo_file_perms;
allow distccd_t self:netlink_route_socket r_netlink_socket_perms;
allow distccd_t self:tcp_socket create_stream_socket_perms;
allow distccd_t self:udp_socket create_socket_perms;
diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te
index ed88fff..86085fb 100644
--- a/policy/modules/services/dnsmasq.te
+++ b/policy/modules/services/dnsmasq.te
@@ -24,7 +24,7 @@ files_pid_file(dnsmasq_var_run_t)
allow dnsmasq_t self:capability { net_admin setgid setuid net_bind_service net_raw };
dontaudit dnsmasq_t self:capability sys_tty_config;
allow dnsmasq_t self:process { setcap signal_perms };
-allow dnsmasq_t self:fifo_file { read write };
+allow dnsmasq_t self:fifo_file rw_fifo_file_perms;
allow dnsmasq_t self:netlink_route_socket { bind create nlmsg_read read write };
allow dnsmasq_t self:tcp_socket create_stream_socket_perms;
allow dnsmasq_t self:udp_socket create_socket_perms;
diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
index 3d4b1ff..9785ac9 100644
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@@ -148,7 +148,7 @@ allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
allow dovecot_auth_t dovecot_t:unix_stream_socket { getattr accept read write ioctl };
-allow dovecot_auth_t dovecot_passwd_t:file { getattr read };
+allow dovecot_auth_t dovecot_passwd_t:file read_file_perms;
# Allow dovecot to create and read SSL parameters file
manage_files_pattern(dovecot_t, dovecot_var_lib_t, dovecot_var_lib_t)
diff --git a/policy/modules/services/finger.te b/policy/modules/services/finger.te
index 56cc74b..add0d44 100644
--- a/policy/modules/services/finger.te
+++ b/policy/modules/services/finger.te
@@ -28,7 +28,7 @@ files_pid_file(fingerd_var_run_t)
allow fingerd_t self:capability { setgid setuid };
dontaudit fingerd_t self:capability { sys_tty_config fsetid };
allow fingerd_t self:process signal_perms;
-allow fingerd_t self:fifo_file { read write getattr };
+allow fingerd_t self:fifo_file rw_fifo_file_perms;
allow fingerd_t self:tcp_socket connected_stream_socket_perms;
allow fingerd_t self:udp_socket create_socket_perms;
allow fingerd_t self:unix_dgram_socket create_socket_perms;
diff --git a/policy/modules/services/gatekeeper.te b/policy/modules/services/gatekeeper.te
index 9de0edc..70acca3 100644
--- a/policy/modules/services/gatekeeper.te
+++ b/policy/modules/services/gatekeeper.te
@@ -35,7 +35,7 @@ allow gatekeeper_t self:tcp_socket create_stream_socket_perms;
allow gatekeeper_t self:udp_socket create_socket_perms;
allow gatekeeper_t gatekeeper_etc_t:lnk_file { getattr read };
-allow gatekeeper_t gatekeeper_etc_t:file { getattr read };
+allow gatekeeper_t gatekeeper_etc_t:file read_file_perms;
files_search_etc(gatekeeper_t)
manage_files_pattern(gatekeeper_t, gatekeeper_log_t, gatekeeper_log_t)
diff --git a/policy/modules/services/jabber.te b/policy/modules/services/jabber.te
index e3e529a..04674d9 100644
--- a/policy/modules/services/jabber.te
+++ b/policy/modules/services/jabber.te
@@ -30,7 +30,7 @@ files_pid_file(jabberd_var_run_t)
allow jabberd_t self:capability dac_override;
dontaudit jabberd_t self:capability sys_tty_config;
allow jabberd_t self:process signal_perms;
-allow jabberd_t self:fifo_file { read write getattr };
+allow jabberd_t self:fifo_file read_fifo_file_perms;
allow jabberd_t self:tcp_socket create_stream_socket_perms;
allow jabberd_t self:udp_socket create_socket_perms;
diff --git a/policy/modules/services/ldap.te b/policy/modules/services/ldap.te
index 1a5ef74..0038d75 100644
--- a/policy/modules/services/ldap.te
+++ b/policy/modules/services/ldap.te
@@ -44,7 +44,7 @@ files_pid_file(slapd_var_run_t)
allow slapd_t self:capability { kill setgid setuid net_raw dac_override dac_read_search };
dontaudit slapd_t self:capability sys_tty_config;
allow slapd_t self:process setsched;
-allow slapd_t self:fifo_file { read write };
+allow slapd_t self:fifo_file rw_fifo_file_perms;
allow slapd_t self:udp_socket create_socket_perms;
#slapd needs to listen and accept needed by ldapsearch (slapd needs to accept from ldapseach)
allow slapd_t self:tcp_socket create_stream_socket_perms;
@@ -58,7 +58,7 @@ manage_dirs_pattern(slapd_t, slapd_db_t, slapd_db_t)
manage_files_pattern(slapd_t, slapd_db_t, slapd_db_t)
manage_lnk_files_pattern(slapd_t, slapd_db_t, slapd_db_t)
-allow slapd_t slapd_etc_t:file { getattr read };
+allow slapd_t slapd_etc_t:file read_file_perms;
allow slapd_t slapd_lock_t:file manage_file_perms;
files_lock_filetrans(slapd_t,slapd_lock_t,file)
diff --git a/policy/modules/services/lpd.te b/policy/modules/services/lpd.te
index d44f211..ca30c34 100644
--- a/policy/modules/services/lpd.te
+++ b/policy/modules/services/lpd.te
@@ -68,7 +68,7 @@ delete_files_pattern(checkpc_t, print_spool_t, print_spool_t)
files_search_spool(checkpc_t)
allow checkpc_t printconf_t:file getattr;
-allow checkpc_t printconf_t:dir { getattr search read };
+allow checkpc_t printconf_t:dir list_dir_perms;
kernel_read_system_state(checkpc_t)
@@ -142,7 +142,7 @@ manage_files_pattern(lpd_t, print_spool_t, print_spool_t)
files_search_spool(lpd_t)
# lpd must be able to execute the filter utilities in /usr/share/printconf.
-allow lpd_t printconf_t:dir { getattr search read };
+allow lpd_t printconf_t:dir list_dir_perms;
can_exec(lpd_t, printconf_t)
# Create and bind to /dev/printer.
diff --git a/policy/modules/services/monop.te b/policy/modules/services/monop.te
index eb4880a..04b480f 100644
--- a/policy/modules/services/monop.te
+++ b/policy/modules/services/monop.te
@@ -29,7 +29,7 @@ allow monopd_t self:process signal_perms;
allow monopd_t self:tcp_socket create_stream_socket_perms;
allow monopd_t self:udp_socket create_socket_perms;
-allow monopd_t monopd_etc_t:file { getattr read };
+allow monopd_t monopd_etc_t:file read_file_perms;
files_search_etc(monopd_t)
allow monopd_t monopd_share_t:dir list_dir_perms;
diff --git a/policy/modules/services/mysql.if b/policy/modules/services/mysql.if
index ba21f5f..0115dbf 100644
--- a/policy/modules/services/mysql.if
+++ b/policy/modules/services/mysql.if
@@ -157,7 +157,7 @@ interface(`mysql_rw_db_sockets',`
files_search_var_lib($1)
allow $1 mysqld_db_t:dir search;
- allow $1 mysqld_db_t:sock_file rw_file_perms;
+ allow $1 mysqld_db_t:sock_file rw_sock_file_perms;
')
########################################
diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te
index 708735c..760dad2 100644
--- a/policy/modules/services/mysql.te
+++ b/policy/modules/services/mysql.te
@@ -33,7 +33,7 @@ files_tmp_file(mysqld_tmp_t)
allow mysqld_t self:capability { dac_override setgid setuid sys_resource net_bind_service };
dontaudit mysqld_t self:capability sys_tty_config;
allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh };
-allow mysqld_t self:fifo_file { read write };
+allow mysqld_t self:fifo_file rw_fifo_file_perms;
allow mysqld_t self:unix_stream_socket create_stream_socket_perms;
allow mysqld_t self:tcp_socket create_stream_socket_perms;
allow mysqld_t self:udp_socket create_socket_perms;
@@ -43,7 +43,7 @@ manage_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
manage_lnk_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
files_var_lib_filetrans(mysqld_t, mysqld_db_t, { dir file })
-allow mysqld_t mysqld_etc_t:file { getattr read };
+allow mysqld_t mysqld_etc_t:file read_file_perms;
allow mysqld_t mysqld_etc_t:lnk_file { getattr read };
allow mysqld_t mysqld_etc_t:dir list_dir_perms;
diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te
index 741b157..5a92af1 100644
--- a/policy/modules/services/nagios.te
+++ b/policy/modules/services/nagios.te
@@ -177,7 +177,7 @@ dontaudit nrpe_t self:capability sys_tty_config;
allow nrpe_t self:process { setpgid signal_perms };
allow nrpe_t self:fifo_file rw_fifo_file_perms;
-allow nrpe_t nrpe_etc_t:file { getattr read };
+allow nrpe_t nrpe_etc_t:file read_file_perms;
files_search_etc(nrpe_t)
kernel_read_system_state(nrpe_t)
diff --git a/policy/modules/services/nessus.te b/policy/modules/services/nessus.te
index eda0e12..af734bc 100644
--- a/policy/modules/services/nessus.te
+++ b/policy/modules/services/nessus.te
@@ -30,7 +30,7 @@ files_pid_file(nessusd_var_run_t)
allow nessusd_t self:capability net_raw;
dontaudit nessusd_t self:capability sys_tty_config;
allow nessusd_t self:process { setsched signal_perms };
-allow nessusd_t self:fifo_file { getattr read write };
+allow nessusd_t self:fifo_file rw_fifo_file_perms;
allow nessusd_t self:tcp_socket create_stream_socket_perms;
allow nessusd_t self:udp_socket create_socket_perms;
allow nessusd_t self:rawip_socket create_socket_perms;
@@ -42,7 +42,7 @@ manage_files_pattern(nessusd_t, nessusd_db_t, nessusd_db_t)
manage_lnk_files_pattern(nessusd_t, nessusd_db_t, nessusd_db_t)
files_list_var_lib(nessusd_t)
-allow nessusd_t nessusd_etc_t:file { getattr read };
+allow nessusd_t nessusd_etc_t:file read_file_perms;
files_search_etc(nessusd_t)
manage_files_pattern(nessusd_t, nessusd_log_t, nessusd_log_t)
diff --git a/policy/modules/services/nis.te b/policy/modules/services/nis.te
index 9cec5d3..bd0e701 100644
--- a/policy/modules/services/nis.te
+++ b/policy/modules/services/nis.te
@@ -224,7 +224,7 @@ allow ypserv_t self:udp_socket create_socket_perms;
manage_files_pattern(ypserv_t,var_yp_t,var_yp_t)
-allow ypserv_t ypserv_conf_t:file { getattr read };
+allow ypserv_t ypserv_conf_t:file read_file_perms;
manage_dirs_pattern(ypserv_t, ypserv_tmp_t, ypserv_tmp_t)
manage_files_pattern(ypserv_t, ypserv_tmp_t, ypserv_tmp_t)
@@ -304,7 +304,7 @@ manage_files_pattern(ypxfr_t, var_yp_t, var_yp_t)
allow ypxfr_t ypserv_t:tcp_socket { read write };
allow ypxfr_t ypserv_t:udp_socket { read write };
-allow ypxfr_t ypserv_conf_t:file { getattr read };
+allow ypxfr_t ypserv_conf_t:file read_file_perms;
corenet_all_recvfrom_unlabeled(ypxfr_t)
corenet_all_recvfrom_netlabel(ypxfr_t)
diff --git a/policy/modules/services/nscd.te b/policy/modules/services/nscd.te
index 5e4eb69..e871857 100644
--- a/policy/modules/services/nscd.te
+++ b/policy/modules/services/nscd.te
@@ -31,7 +31,7 @@ logging_log_file(nscd_log_t)
allow nscd_t self:capability { kill setgid setuid audit_write };
dontaudit nscd_t self:capability sys_tty_config;
allow nscd_t self:process { getattr setsched signal_perms };
-allow nscd_t self:fifo_file { read write };
+allow nscd_t self:fifo_file read_fifo_file_perms;
allow nscd_t self:unix_stream_socket create_stream_socket_perms;
allow nscd_t self:unix_dgram_socket create_socket_perms;
allow nscd_t self:netlink_selinux_socket create_socket_perms;
diff --git a/policy/modules/services/nsd.te b/policy/modules/services/nsd.te
index 22611c0..7cd87e5 100644
--- a/policy/modules/services/nsd.te
+++ b/policy/modules/services/nsd.te
@@ -124,7 +124,7 @@ allow nsd_crond_t self:fifo_file rw_fifo_file_perms;
allow nsd_crond_t self:tcp_socket create_socket_perms;
allow nsd_crond_t self:udp_socket create_socket_perms;
-allow nsd_crond_t nsd_conf_t:file { getattr read ioctl };
+allow nsd_crond_t nsd_conf_t:file read_file_perms;
allow nsd_crond_t nsd_db_t:file manage_file_perms;
filetrans_pattern(nsd_crond_t, nsd_zone_t, nsd_db_t, file)
diff --git a/policy/modules/services/ntop.te b/policy/modules/services/ntop.te
index 54a2c5f..fd48217 100644
--- a/policy/modules/services/ntop.te
+++ b/policy/modules/services/ntop.te
@@ -34,7 +34,7 @@ files_pid_file(ntop_var_run_t)
allow ntop_t self:capability { net_raw setgid setuid sys_admin net_admin };
dontaudit ntop_t self:capability sys_tty_config;
allow ntop_t self:process signal_perms;
-allow ntop_t self:fifo_file { read write };
+allow ntop_t self:fifo_file rw_fifo_file_perms;
allow ntop_t self:tcp_socket create_stream_socket_perms;
allow ntop_t self:udp_socket create_socket_perms;
allow ntop_t self:packet_socket create_socket_perms;
diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te
index 53a8150..19005e3 100644
--- a/policy/modules/services/ntp.te
+++ b/policy/modules/services/ntp.te
@@ -41,7 +41,7 @@ init_system_domain(ntpd_t, ntpdate_exec_t)
allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock sys_chroot sys_nice sys_resource };
dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice };
allow ntpd_t self:process { signal_perms getcap setcap setsched setrlimit };
-allow ntpd_t self:fifo_file { read write getattr };
+allow ntpd_t self:fifo_file rw_fifo_file_perms;
allow ntpd_t self:unix_dgram_socket create_socket_perms;
allow ntpd_t self:unix_stream_socket create_socket_perms;
allow ntpd_t self:tcp_socket create_stream_socket_perms;
diff --git a/policy/modules/services/nx.te b/policy/modules/services/nx.te
index eef573e..16d321d 100644
--- a/policy/modules/services/nx.te
+++ b/policy/modules/services/nx.te
@@ -30,7 +30,7 @@ files_pid_file(nx_server_var_run_t)
# NX server local policy
#
-allow nx_server_t self:fifo_file { getattr ioctl read write };
+allow nx_server_t self:fifo_file rw_fifo_file_perms;
allow nx_server_t self:tcp_socket create_socket_perms;
allow nx_server_t self:udp_socket create_socket_perms;
diff --git a/policy/modules/services/oav.te b/policy/modules/services/oav.te
index 9800dde..fc63af2 100644
--- a/policy/modules/services/oav.te
+++ b/policy/modules/services/oav.te
@@ -82,7 +82,7 @@ optional_policy(`
dontaudit scannerdaemon_t self:capability sys_tty_config;
allow scannerdaemon_t self:process signal_perms;
-allow scannerdaemon_t self:fifo_file { read write };
+allow scannerdaemon_t self:fifo_file rw_fifo_file_perms;
allow scannerdaemon_t self:tcp_socket create_stream_socket_perms;
allow scannerdaemon_t self:udp_socket create_socket_perms;
diff --git a/policy/modules/services/oddjob.te b/policy/modules/services/oddjob.te
index 0a38d3a..051098c 100644
--- a/policy/modules/services/oddjob.te
+++ b/policy/modules/services/oddjob.te
@@ -29,7 +29,7 @@ files_pid_file(oddjob_var_run_t)
allow oddjob_t self:capability setgid;
allow oddjob_t self:process { setexec signal };
-allow oddjob_t self:fifo_file { read write };
+allow oddjob_t self:fifo_file rw_fifo_file_perms;
allow oddjob_t self:unix_stream_socket create_stream_socket_perms;
manage_files_pattern(oddjob_t, oddjob_var_run_t, oddjob_var_run_t)
@@ -68,7 +68,7 @@ optional_policy(`
# oddjob_mkhomedir local policy
#
-allow oddjob_mkhomedir_t self:fifo_file { read write };
+allow oddjob_mkhomedir_t self:fifo_file rw_fifo_file_perms;
allow oddjob_mkhomedir_t self:unix_stream_socket create_stream_socket_perms;
files_read_etc_files(oddjob_mkhomedir_t)
diff --git a/policy/modules/services/pcscd.te b/policy/modules/services/pcscd.te
index a90f603..b3e9931 100644
--- a/policy/modules/services/pcscd.te
+++ b/policy/modules/services/pcscd.te
@@ -22,7 +22,7 @@ files_pid_file(pcscd_var_run_t)
allow pcscd_t self:capability { dac_override dac_read_search };
allow pcscd_t self:process signal;
-allow pcscd_t self:fifo_file { read write };
+allow pcscd_t self:fifo_file rw_fifo_file_perms;
allow pcscd_t self:unix_stream_socket create_stream_socket_perms;
allow pcscd_t self:unix_dgram_socket create_socket_perms;
allow pcscd_t self:tcp_socket create_stream_socket_perms;
diff --git a/policy/modules/services/perdition.te b/policy/modules/services/perdition.te
index b221e6b..e7c6650 100644
--- a/policy/modules/services/perdition.te
+++ b/policy/modules/services/perdition.te
@@ -27,7 +27,7 @@ allow perdition_t self:process signal_perms;
allow perdition_t self:tcp_socket create_stream_socket_perms;
allow perdition_t self:udp_socket create_socket_perms;
-allow perdition_t perdition_etc_t:file { getattr read };
+allow perdition_t perdition_etc_t:file read_file_perms;
files_search_etc(perdition_t)
manage_files_pattern(perdition_t, perdition_var_run_t, perdition_var_run_t)
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
index 3f2cb82..ad008aa 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -474,8 +474,8 @@ manage_dirs_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
manage_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
manage_lnk_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
-allow postfix_qmgr_t postfix_spool_bounce_t:dir { getattr read search };
-allow postfix_qmgr_t postfix_spool_bounce_t:file { read getattr };
+allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
+allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file { getattr read };
corecmd_exec_bin(postfix_qmgr_t)
@@ -494,8 +494,8 @@ allow postfix_showq_t postfix_spool_t:file read_file_perms;
postfix_list_spool(postfix_showq_t)
-allow postfix_showq_t postfix_spool_maildrop_t:dir { getattr read search };
-allow postfix_showq_t postfix_spool_maildrop_t:file { read getattr };
+allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms;
+allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
allow postfix_showq_t postfix_spool_maildrop_t:lnk_file { getattr read };
# to write the mailq output, it really should not need read access!
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
index 36ac371..060a601 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -103,8 +103,7 @@ role system_r types sepgsql_trusted_proc_t;
allow postgresql_t self:capability { kill dac_override dac_read_search chown fowner fsetid setuid setgid sys_nice sys_tty_config sys_admin };
dontaudit postgresql_t self:capability { sys_tty_config sys_admin };
allow postgresql_t self:process signal_perms;
-allow postgresql_t self:fifo_file { getattr read write ioctl };
-allow postgresql_t self:file { getattr read };
+allow postgresql_t self:fifo_file rw_fifo_file_perms;
allow postgresql_t self:sem create_sem_perms;
allow postgresql_t self:shm create_shm_perms;
allow postgresql_t self:tcp_socket create_stream_socket_perms;
diff --git a/policy/modules/services/ppp.te b/policy/modules/services/ppp.te
index 269950e..229a6fe 100644
--- a/policy/modules/services/ppp.te
+++ b/policy/modules/services/ppp.te
@@ -223,23 +223,23 @@ optional_policy(`
allow pptp_t self:capability net_raw;
dontaudit pptp_t self:capability sys_tty_config;
allow pptp_t self:process signal;
-allow pptp_t self:fifo_file { read write };
+allow pptp_t self:fifo_file rw_fifo_file_perms;
allow pptp_t self:unix_dgram_socket create_socket_perms;
allow pptp_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow pptp_t self:rawip_socket create_socket_perms;
allow pptp_t self:tcp_socket create_socket_perms;
-allow pptp_t pppd_etc_t:dir { getattr read search };
-allow pptp_t pppd_etc_t:file { read getattr };
+allow pptp_t pppd_etc_t:dir list_dir_perms;
+allow pptp_t pppd_etc_t:file read_file_perms;
allow pptp_t pppd_etc_t:lnk_file { getattr read };
-allow pptp_t pppd_etc_rw_t:dir { getattr read search };
-allow pptp_t pppd_etc_rw_t:file { read getattr };
+allow pptp_t pppd_etc_rw_t:dir list_dir_perms;
+allow pptp_t pppd_etc_rw_t:file read_file_perms;
allow pptp_t pppd_etc_rw_t:lnk_file { getattr read };
can_exec(pptp_t, pppd_etc_rw_t)
# Allow pptp to append to pppd log files
-allow pptp_t pppd_log_t:file append;
+allow pptp_t pppd_log_t:file append_file_perms;
allow pptp_t pptp_log_t:file manage_file_perms;
logging_log_filetrans(pptp_t, pptp_log_t, file)
diff --git a/policy/modules/services/qmail.te b/policy/modules/services/qmail.te
index 8ad47da..8ff937b 100644
--- a/policy/modules/services/qmail.te
+++ b/policy/modules/services/qmail.te
@@ -73,10 +73,10 @@ delete_files_pattern(qmail_clean_t, qmail_spool_t, qmail_spool_t)
# this component preprocesses mail from stdin and invokes qmail-queue
#
-allow qmail_inject_t self:fifo_file write;
+allow qmail_inject_t self:fifo_file write_fifo_file_perms;
allow qmail_inject_t self:process signal_perms;
-allow qmail_inject_t qmail_queue_exec_t:file read;
+allow qmail_inject_t qmail_queue_exec_t:file read_file_perms;
corecmd_search_bin(qmail_inject_t)
@@ -95,7 +95,7 @@ qmail_read_config(qmail_inject_t)
# this component delivers a mail message
#
-allow qmail_local_t self:fifo_file write;
+allow qmail_local_t self:fifo_file write_file_perms;
allow qmail_local_t self:process signal_perms;
allow qmail_local_t self:unix_stream_socket create_stream_socket_perms;
@@ -104,7 +104,7 @@ manage_files_pattern(qmail_local_t, qmail_alias_home_t, qmail_alias_home_t)
can_exec(qmail_local_t, qmail_local_exec_t)
-allow qmail_local_t qmail_queue_exec_t:file read;
+allow qmail_local_t qmail_queue_exec_t:file read_file_perms;
allow qmail_local_t qmail_spool_t:file read_file_perms;
@@ -132,12 +132,12 @@ qmail_domtrans_queue(qmail_local_t)
allow qmail_lspawn_t self:capability { setuid setgid };
allow qmail_lspawn_t self:process signal_perms;
-allow qmail_lspawn_t self:fifo_file { read write };
+allow qmail_lspawn_t self:fifo_file rw_fifo_file_perms;
allow qmail_lspawn_t self:unix_stream_socket create_socket_perms;
can_exec(qmail_lspawn_t, qmail_exec_t)
-allow qmail_lspawn_t qmail_local_exec_t:file read;
+allow qmail_lspawn_t qmail_local_exec_t:file read_file_perms;
read_files_pattern(qmail_lspawn_t, qmail_spool_t, qmail_spool_t)
@@ -154,10 +154,10 @@ files_search_tmp(qmail_lspawn_t)
#
allow qmail_queue_t qmail_lspawn_t:fd use;
-allow qmail_queue_t qmail_lspawn_t:fifo_file write;
+allow qmail_queue_t qmail_lspawn_t:fifo_file write_fifo_file_perms;
allow qmail_queue_t qmail_smtpd_t:fd use;
-allow qmail_queue_t qmail_smtpd_t:fifo_file read;
+allow qmail_queue_t qmail_smtpd_t:fifo_file read_fifo_file_perms;
allow qmail_queue_t qmail_smtpd_t:process sigchld;
manage_dirs_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t)
@@ -206,9 +206,9 @@ sysnet_read_config(qmail_remote_t)
#
allow qmail_rspawn_t self:process signal_perms;
-allow qmail_rspawn_t self:fifo_file read;
+allow qmail_rspawn_t self:fifo_file read_fifo_file_perms;
-allow qmail_rspawn_t qmail_remote_exec_t:file read;
+allow qmail_rspawn_t qmail_remote_exec_t:file read_file_perms;
rw_files_pattern(qmail_rspawn_t, qmail_spool_t, qmail_spool_t)
@@ -221,7 +221,7 @@ corecmd_search_bin(qmail_rspawn_t)
#
allow qmail_send_t self:process signal_perms;
-allow qmail_send_t self:fifo_file write;
+allow qmail_send_t self:fifo_file write_fifo_file_perms;
manage_dirs_pattern(qmail_send_t, qmail_spool_t, qmail_spool_t)
manage_files_pattern(qmail_send_t, qmail_spool_t, qmail_spool_t)
@@ -240,10 +240,10 @@ optional_policy(`
#
allow qmail_smtpd_t self:process signal_perms;
-allow qmail_smtpd_t self:fifo_file write;
+allow qmail_smtpd_t self:fifo_file write_fifo_file_perms;
allow qmail_smtpd_t self:tcp_socket create_socket_perms;
-allow qmail_smtpd_t qmail_queue_exec_t:file read;
+allow qmail_smtpd_t qmail_queue_exec_t:file read_file_perms;
dev_read_rand(qmail_smtpd_t)
dev_read_urand(qmail_smtpd_t)
@@ -280,7 +280,7 @@ miscfiles_read_localization(qmail_splogger_t)
allow qmail_start_t self:capability { setgid setuid };
dontaudit qmail_start_t self:capability sys_tty_config;
-allow qmail_start_t self:fifo_file { getattr read write };
+allow qmail_start_t self:fifo_file rw_fifo_file_perms;
allow qmail_start_t self:process signal_perms;
can_exec(qmail_start_t, qmail_start_exec_t)
@@ -305,7 +305,7 @@ optional_policy(`
# this component sets up TCP-related environment variables
#
-allow qmail_tcp_env_t qmail_smtpd_exec_t:file read;
+allow qmail_tcp_env_t qmail_smtpd_exec_t:file read_file_perms;
corecmd_search_bin(qmail_tcp_env_t)
diff --git a/policy/modules/services/resmgr.te b/policy/modules/services/resmgr.te
index 70c426f..167918d 100644
--- a/policy/modules/services/resmgr.te
+++ b/policy/modules/services/resmgr.te
@@ -25,7 +25,7 @@ allow resmgrd_t self:capability { dac_override sys_admin sys_rawio };
dontaudit resmgrd_t self:capability sys_tty_config;
allow resmgrd_t self:process signal_perms;
-allow resmgrd_t resmgrd_etc_t:file { getattr read };
+allow resmgrd_t resmgrd_etc_t:file read_file_perms;
files_search_etc(resmgrd_t)
allow resmgrd_t resmgrd_var_run_t:file manage_file_perms;
diff --git a/policy/modules/services/ricci.te b/policy/modules/services/ricci.te
index 5cd7567..78fe27b 100644
--- a/policy/modules/services/ricci.te
+++ b/policy/modules/services/ricci.te
@@ -84,7 +84,7 @@ files_lock_file(ricci_modstorage_lock_t)
allow ricci_t self:capability { setuid sys_nice sys_boot };
allow ricci_t self:process setsched;
-allow ricci_t self:fifo_file { read write };
+allow ricci_t self:fifo_file rw_fifo_file_perms;
allow ricci_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow ricci_t self:tcp_socket create_stream_socket_perms;
@@ -362,7 +362,7 @@ optional_policy(`
# ricci_modrpm local policy
#
-allow ricci_modrpm_t self:fifo_file { getattr read };
+allow ricci_modrpm_t self:fifo_file read_fifo_file_perms;
kernel_read_kernel_sysctls(ricci_modrpm_t)
@@ -390,7 +390,7 @@ optional_policy(`
#
allow ricci_modservice_t self:capability { dac_override sys_nice };
-allow ricci_modservice_t self:fifo_file { getattr read write };
+allow ricci_modservice_t self:fifo_file rw_fifo_file_perms;
allow ricci_modservice_t self:process setsched;
kernel_read_kernel_sysctls(ricci_modservice_t)
diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
index f0403ed..55995a5 100644
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@@ -95,7 +95,7 @@ optional_policy(`
allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource };
-allow nfsd_t exports_t:file { getattr read };
+allow nfsd_t exports_t:file read_file_perms;
allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
# for /proc/fs/nfs/exports - should we have a new type?
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
index 14e1c8c..c7d47a5 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -220,7 +220,7 @@ allow smbd_t self:msg { send receive };
allow smbd_t self:msgq create_msgq_perms;
allow smbd_t self:sem create_sem_perms;
allow smbd_t self:shm create_shm_perms;
-allow smbd_t self:sock_file read_file_perms;
+allow smbd_t self:sock_file read_sock_file_perms;
allow smbd_t self:tcp_socket create_stream_socket_perms;
allow smbd_t self:udp_socket create_socket_perms;
allow smbd_t self:unix_dgram_socket { create_socket_perms sendto };
@@ -405,7 +405,7 @@ allow nmbd_t self:msg { send receive };
allow nmbd_t self:msgq create_msgq_perms;
allow nmbd_t self:sem create_sem_perms;
allow nmbd_t self:shm create_shm_perms;
-allow nmbd_t self:sock_file read_file_perms;
+allow nmbd_t self:sock_file read_sock_file_perms;
allow nmbd_t self:tcp_socket create_stream_socket_perms;
allow nmbd_t self:udp_socket create_socket_perms;
allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto };
@@ -572,17 +572,17 @@ allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow swat_t self:tcp_socket create_stream_socket_perms;
allow swat_t self:udp_socket create_socket_perms;
-allow swat_t nmbd_exec_t:file { execute read };
+allow swat_t nmbd_exec_t:file mmap_file_perms;
rw_files_pattern(swat_t, samba_etc_t, samba_etc_t)
append_files_pattern(swat_t, samba_log_t, samba_log_t)
-allow swat_t smbd_exec_t:file execute ;
+allow swat_t smbd_exec_t:file mmap_file_perms ;
allow swat_t smbd_t:process signull;
-allow swat_t smbd_var_run_t:file read;
+allow swat_t smbd_var_run_t:file read_file_perms;
manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
@@ -591,7 +591,7 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t)
files_pid_filetrans(swat_t, swat_var_run_t, file)
-allow swat_t winbind_exec_t:file execute;
+allow swat_t winbind_exec_t:file mmap_file_perms;
kernel_read_kernel_sysctls(swat_t)
kernel_read_system_state(swat_t)
@@ -654,7 +654,7 @@ optional_policy(`
allow winbind_t self:capability { dac_override ipc_lock setuid };
dontaudit winbind_t self:capability sys_tty_config;
allow winbind_t self:process signal_perms;
-allow winbind_t self:fifo_file { read write };
+allow winbind_t self:fifo_file rw_fifo_file_perms;
allow winbind_t self:unix_dgram_socket create_socket_perms;
allow winbind_t self:unix_stream_socket create_stream_socket_perms;
allow winbind_t self:tcp_socket create_stream_socket_perms;
@@ -761,7 +761,7 @@ allow winbind_helper_t samba_etc_t:dir list_dir_perms;
read_files_pattern(winbind_helper_t, samba_etc_t, samba_etc_t)
read_lnk_files_pattern(winbind_helper_t, samba_etc_t, samba_etc_t)
-allow winbind_helper_t samba_var_t:dir search;
+allow winbind_helper_t samba_var_t:dir search_dir_perms;
files_list_var_lib(winbind_helper_t)
stream_connect_pattern(winbind_helper_t, winbind_var_run_t, winbind_var_run_t, winbind_t)
diff --git a/policy/modules/services/sasl.te b/policy/modules/services/sasl.te
index df51a47..bc0c13a 100644
--- a/policy/modules/services/sasl.te
+++ b/policy/modules/services/sasl.te
@@ -34,7 +34,7 @@ files_pid_file(saslauthd_var_run_t)
allow saslauthd_t self:capability setuid;
dontaudit saslauthd_t self:capability sys_tty_config;
allow saslauthd_t self:process signal_perms;
-allow saslauthd_t self:fifo_file { read write };
+allow saslauthd_t self:fifo_file rw_fifo_file_perms;
allow saslauthd_t self:unix_dgram_socket create_socket_perms;
allow saslauthd_t self:unix_stream_socket create_stream_socket_perms;
allow saslauthd_t self:tcp_socket create_socket_perms;
diff --git a/policy/modules/services/spamassassin.if b/policy/modules/services/spamassassin.if
index 715eba1..f583eb2 100644
--- a/policy/modules/services/spamassassin.if
+++ b/policy/modules/services/spamassassin.if
@@ -88,8 +88,7 @@ template(`spamassassin_per_role_template',`
files_tmp_filetrans($1_spamc_t, $1_spamc_tmp_t, { file dir })
# Allow connecting to a local spamd
- allow $1_spamc_t spamd_t:unix_stream_socket connectto;
- allow $1_spamc_t spamd_tmp_t:sock_file rw_file_perms;
+ stream_connect_pattern($1_spamc_t, spamd_tmp_t, spamd_tmp_t, spamd_t)
domtrans_pattern($2, spamc_exec_t, $1_spamc_t)
diff --git a/policy/modules/services/stunnel.te b/policy/modules/services/stunnel.te
index bf4e7a2..e433bbb 100644
--- a/policy/modules/services/stunnel.te
+++ b/policy/modules/services/stunnel.te
@@ -39,8 +39,8 @@ allow stunnel_t self:fifo_file rw_fifo_file_perms;
allow stunnel_t self:tcp_socket create_stream_socket_perms;
allow stunnel_t self:udp_socket create_socket_perms;
-allow stunnel_t stunnel_etc_t:dir { getattr read search };
-allow stunnel_t stunnel_etc_t:file { read getattr };
+allow stunnel_t stunnel_etc_t:dir list_dir_perms;
+allow stunnel_t stunnel_etc_t:file read_file_perms;
allow stunnel_t stunnel_etc_t:lnk_file { getattr read };
manage_dirs_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t)
diff --git a/policy/modules/services/tftp.te b/policy/modules/services/tftp.te
index 68ef3f9..0635932 100644
--- a/policy/modules/services/tftp.te
+++ b/policy/modules/services/tftp.te
@@ -39,8 +39,8 @@ allow tftpd_t self:unix_dgram_socket create_socket_perms;
allow tftpd_t self:unix_stream_socket create_stream_socket_perms;
dontaudit tftpd_t self:capability sys_tty_config;
-allow tftpd_t tftpdir_t:dir { getattr read search };
-allow tftpd_t tftpdir_t:file { read getattr };
+allow tftpd_t tftpdir_t:dir list_dir_perms;
+allow tftpd_t tftpdir_t:file read_file_perms;
allow tftpd_t tftpdir_t:lnk_file { getattr read };
manage_dirs_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)
diff --git a/policy/modules/services/tor.te b/policy/modules/services/tor.te
index d937480..51e0500 100644
--- a/policy/modules/services/tor.te
+++ b/policy/modules/services/tor.te
@@ -35,7 +35,7 @@ files_pid_file(tor_var_run_t)
#
allow tor_t self:capability { setgid setuid };
-allow tor_t self:fifo_file { read write };
+allow tor_t self:fifo_file rw_fifo_file_perms;
allow tor_t self:unix_stream_socket create_stream_socket_perms;
allow tor_t self:netlink_route_socket r_netlink_socket_perms;
allow tor_t self:tcp_socket create_stream_socket_perms;
diff --git a/policy/modules/services/ucspitcp.te b/policy/modules/services/ucspitcp.te
index 0077c4c..8afcd4c 100644
--- a/policy/modules/services/ucspitcp.te
+++ b/policy/modules/services/ucspitcp.te
@@ -52,7 +52,7 @@ optional_policy(`
#
allow ucspitcp_t self:capability { setgid setuid };
-allow ucspitcp_t self:fifo_file { read write };
+allow ucspitcp_t self:fifo_file rw_fifo_file_perms;
allow ucspitcp_t self:tcp_socket create_stream_socket_perms;
allow ucspitcp_t self:udp_socket create_socket_perms;
diff --git a/policy/modules/services/uptime.te b/policy/modules/services/uptime.te
index 4840ab3..8932b66 100644
--- a/policy/modules/services/uptime.te
+++ b/policy/modules/services/uptime.te
@@ -26,9 +26,9 @@ files_pid_file(uptimed_var_run_t)
dontaudit uptimed_t self:capability sys_tty_config;
allow uptimed_t self:process signal_perms;
-allow uptimed_t self:fifo_file { getattr write };
+allow uptimed_t self:fifo_file write_file_perms;
-allow uptimed_t uptimed_etc_t:file { getattr read };
+allow uptimed_t uptimed_etc_t:file read_file_perms;
files_search_etc(uptimed_t)
allow uptimed_t uptimed_spool_t:file manage_file_perms;
diff --git a/policy/modules/services/uucp.te b/policy/modules/services/uucp.te
index 0c0353a..b7f8f7a 100644
--- a/policy/modules/services/uucp.te
+++ b/policy/modules/services/uucp.te
@@ -107,7 +107,7 @@ optional_policy(`
#
allow uux_t self:capability { setuid setgid };
-allow uux_t self:fifo_file { getattr write };
+allow uux_t self:fifo_file write_file_perms;
uucp_append_log(uux_t)
uucp_manage_spool(uux_t)
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index a46e866..ce109e9 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -427,7 +427,7 @@ allow xdm_xserver_t xdm_t:shm rw_shm_perms;
allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
-allow xdm_xserver_t xdm_var_run_t:file { getattr read };
+allow xdm_xserver_t xdm_var_run_t:file read_file_perms;
# Label pid and temporary files with derived types.
manage_files_pattern(xdm_xserver_t, xdm_tmp_t, xdm_tmp_t)
diff --git a/policy/modules/services/zebra.te b/policy/modules/services/zebra.te
index 3fcae71..1000a57 100644
--- a/policy/modules/services/zebra.te
+++ b/policy/modules/services/zebra.te
@@ -41,7 +41,7 @@ files_pid_file(zebra_var_run_t)
allow zebra_t self:capability { setgid setuid net_admin net_raw };
dontaudit zebra_t self:capability sys_tty_config;
allow zebra_t self:process { signal_perms getcap setcap };
-allow zebra_t self:file { ioctl read write getattr lock append };
+allow zebra_t self:file rw_file_perms;
allow zebra_t self:unix_dgram_socket create_socket_perms;
allow zebra_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow zebra_t self:netlink_route_socket rw_netlink_socket_perms;
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index 4b47e52..7b170e5 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -871,7 +871,7 @@ interface(`auth_manage_var_auth',`
files_search_var($1)
allow $1 var_auth_t:dir manage_dir_perms;
allow $1 var_auth_t:file rw_file_perms;
- allow $1 var_auth_t:lnk_file rw_file_perms;
+ allow $1 var_auth_t:lnk_file rw_lnk_file_perms;
')
########################################
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index b62d578..7246fd8 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -263,7 +263,7 @@ optional_policy(`
# System check password local policy
#
-allow system_chkpwd_t shadow_t:file { getattr read };
+allow system_chkpwd_t shadow_t:file read_file_perms;
corecmd_search_bin(system_chkpwd_t)
@@ -289,7 +289,7 @@ ifdef(`distro_ubuntu',`
#
allow updpwd_t self:process setfscreate;
-allow updpwd_t self:fifo_file { read write };
+allow updpwd_t self:fifo_file rw_fifo_file_perms;
allow updpwd_t self:unix_stream_socket create_stream_socket_perms;
allow updpwd_t self:unix_dgram_socket create_socket_perms;
diff --git a/policy/modules/system/clock.te b/policy/modules/system/clock.te
index f6d05df..469f749 100644
--- a/policy/modules/system/clock.te
+++ b/policy/modules/system/clock.te
@@ -24,7 +24,7 @@ role system_r types hwclock_t;
allow hwclock_t self:capability { dac_override sys_rawio sys_time sys_tty_config };
dontaudit hwclock_t self:capability sys_tty_config;
allow hwclock_t self:process signal_perms;
-allow hwclock_t self:fifo_file { getattr read write };
+allow hwclock_t self:fifo_file rw_fifo_file_perms;
# Allow hwclock to store & retrieve correction factors.
allow hwclock_t adjtime_t:file { rw_file_perms setattr };
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index a7db5fe..302cc9c 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -774,7 +774,7 @@ interface(`init_read_state',`
allow $1 init_t:dir search_dir_perms;
allow $1 init_t:file read_file_perms;
- allow $1 init_t:lnk_file read_file_perms;
+ allow $1 init_t:lnk_file read_lnk_file_perms;
')
########################################
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index 1381dd5..b1c3e74 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -59,7 +59,7 @@ allow ipsec_t self:process signal;
allow ipsec_t self:netlink_route_socket r_netlink_socket_perms;
allow ipsec_t self:tcp_socket create_stream_socket_perms;
allow ipsec_t self:key_socket { create write read setopt };
-allow ipsec_t self:fifo_file { read getattr };
+allow ipsec_t self:fifo_file read_file_perms;
allow ipsec_t ipsec_conf_file_t:dir list_dir_perms;
read_files_pattern(ipsec_t,ipsec_conf_file_t,ipsec_conf_file_t)
@@ -186,7 +186,7 @@ read_lnk_files_pattern(ipsec_mgmt_t,ipsec_t,ipsec_t)
allow ipsec_mgmt_t self:unix_dgram_socket { create connect write };
allow ipsec_mgmt_t ipsec_t:unix_dgram_socket { create connect write };
-allow ipsec_mgmt_t ipsec_conf_file_t:file { getattr read ioctl };
+allow ipsec_mgmt_t ipsec_conf_file_t:file read_file_perms;
manage_files_pattern(ipsec_mgmt_t,ipsec_key_file_t,ipsec_key_file_t)
manage_lnk_files_pattern(ipsec_mgmt_t,ipsec_key_file_t,ipsec_key_file_t)
diff --git a/policy/modules/system/iscsi.te b/policy/modules/system/iscsi.te
index deccf56..c8492b7 100644
--- a/policy/modules/system/iscsi.te
+++ b/policy/modules/system/iscsi.te
@@ -30,7 +30,7 @@ files_pid_file(iscsi_var_run_t)
allow iscsid_t self:capability { dac_override ipc_lock net_admin sys_nice sys_resource };
allow iscsid_t self:process { setrlimit setsched signal };
-allow iscsid_t self:fifo_file { read write };
+allow iscsid_t self:fifo_file rw_fifo_file_perms;
allow iscsid_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow iscsid_t self:unix_dgram_socket create_socket_perms;
allow iscsid_t self:sem create_sem_perms;
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 86b1851..4855a56 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -451,7 +451,7 @@ interface(`logging_send_syslog_msg',`
')
allow $1 devlog_t:lnk_file read;
- allow $1 devlog_t:sock_file rw_file_perms;
+ allow $1 devlog_t:sock_file rw_sock_file_perms;
# the type of socket depends on the syslog daemon
allow $1 syslogd_t:unix_dgram_socket sendto;
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index d7c7dcf..072759f 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -127,7 +127,7 @@ logging_send_syslog_msg(auditctl_t)
allow auditd_t self:capability { chown fsetid sys_nice sys_resource };
dontaudit auditd_t self:capability sys_tty_config;
allow auditd_t self:process { signal_perms setpgid setsched };
-allow auditd_t self:file { getattr read write };
+allow auditd_t self:file rw_file_perms;
allow auditd_t self:unix_dgram_socket create_socket_perms;
allow auditd_t self:fifo_file rw_file_perms;
allow auditd_t self:tcp_socket create_stream_socket_perms;
@@ -227,7 +227,7 @@ allow audisp_t self:fifo_file rw_file_perms;
allow audisp_t self:unix_stream_socket create_stream_socket_perms;
allow audisp_t self:unix_dgram_socket create_socket_perms;
-allow audisp_t auditd_t:unix_stream_socket rw_file_perms;
+allow audisp_t auditd_t:unix_stream_socket rw_socket_perms;
manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t)
files_pid_filetrans(audisp_t, audisp_var_run_t, sock_file)
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 16bf947..aeb194b 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -440,7 +440,7 @@ allow semanage_t self:unix_stream_socket create_stream_socket_perms;
allow semanage_t self:unix_dgram_socket create_socket_perms;
allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
-allow semanage_t policy_config_t:file { read write };
+allow semanage_t policy_config_t:file rw_file_perms;
allow semanage_t semanage_tmp_t:dir manage_dir_perms;
allow semanage_t semanage_tmp_t:file manage_file_perms;
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 34d03d9..15ad57c 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -56,7 +56,6 @@ allow dhcpc_t dhcp_etc_t:dir list_dir_perms;
read_lnk_files_pattern(dhcpc_t,dhcp_etc_t,dhcp_etc_t)
exec_files_pattern(dhcpc_t,dhcp_etc_t,dhcp_etc_t)
-allow dhcpc_t dhcp_state_t:file { getattr read };
manage_files_pattern(dhcpc_t,dhcpc_state_t,dhcpc_state_t)
filetrans_pattern(dhcpc_t,dhcp_state_t,dhcpc_state_t,file)
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index f88cf17..9c832b6 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -45,7 +45,7 @@ allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem ex
allow udev_t self:process { execmem setfscreate };
allow udev_t self:fd use;
allow udev_t self:fifo_file rw_fifo_file_perms;
-allow udev_t self:sock_file read_file_perms;
+allow udev_t self:sock_file read_sock_file_perms;
allow udev_t self:shm create_shm_perms;
allow udev_t self:sem create_sem_perms;
allow udev_t self:msgq create_msgq_perms;
diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te
index 6b6823d..3b04a40 100644
--- a/policy/modules/system/xen.te
+++ b/policy/modules/system/xen.te
@@ -123,10 +123,7 @@ manage_fifo_files_pattern(xend_t,xend_var_lib_t,xend_var_lib_t)
files_var_lib_filetrans(xend_t,xend_var_lib_t,{ file dir })
# transition to store
-domain_auto_trans(xend_t, xenstored_exec_t, xenstored_t)
-allow xenstored_t xend_t:fd use;
-allow xenstored_t xend_t:process sigchld;
-allow xenstored_t xend_t:fifo_file write;
+domtrans_pattern(xend_t, xenstored_exec_t, xenstored_t)
# transition to console
domain_auto_trans(xend_t, xenconsoled_exec_t, xenconsoled_t)
@@ -224,7 +221,7 @@ optional_policy(`
allow xenconsoled_t self:capability { dac_override fsetid ipc_lock };
allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms;
-allow xenconsoled_t self:fifo_file { read write };
+allow xenconsoled_t self:fifo_file rw_fifo_file_perms;
allow xenconsoled_t xen_devpts_t:chr_file rw_term_perms;
@@ -318,7 +315,7 @@ xen_append_log(xenstored_t)
allow xm_t self:capability { dac_override ipc_lock sys_tty_config };
# internal communication is often done using fifo and unix sockets.
-allow xm_t self:fifo_file { read write };
+allow xm_t self:fifo_file rw_fifo_file_perms;
allow xm_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xm_t self:tcp_socket create_stream_socket_perms;
diff --git a/policy/policy_capabilities b/policy/policy_capabilities
index ad2d5d6..054cfbc 100644
--- a/policy/policy_capabilities
+++ b/policy/policy_capabilities
@@ -2,7 +2,7 @@
# This file contains the policy capabilites
# that are enabled in this policy, not a
# declaration of DAC capabilites such as
-# CAP_DAC_OVERRIDE.
+# dac_override.
#
# The affected object classes and their
# permissions should also be listed in
@@ -25,9 +25,8 @@
# Checks enabled:
# dir: open
# file: open
-# lnk_file: open
# fifo_file: open
# chr_file: open
# blk_file: open
#
-#policycap open_perms;
+policycap open_perms;
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
index d308697..0960f33 100644
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@@ -59,22 +59,22 @@ define(`stat_file_perms', `{ getattr } refpolicywarn(`$0 is deprecated please us
#
# Permissions for executing files.
#
-define(`x_file_perms', `{ getattr execute } refpolicywarn(`$0 is deprecated please use { getattr execute } instead.')')
+define(`x_file_perms', `{ getattr open execute } refpolicywarn(`$0 is deprecated please use { getattr execute } instead.')')
#
# Permissions for reading files and their attributes.
#
-define(`r_file_perms', `{ read getattr lock ioctl } refpolicywarn(`$0 is deprecated please use read_file_perms instead.')')
+define(`r_file_perms', `{ open read getattr lock ioctl } refpolicywarn(`$0 is deprecated please use read_file_perms instead.')')
#
# Permissions for reading and executing files.
#
-define(`rx_file_perms', `{ read getattr lock execute ioctl } refpolicywarn(`$0 is deprecated please use { mmap_file_perms ioctl lock } instead.')')
+define(`rx_file_perms', `{ open read getattr lock execute ioctl } refpolicywarn(`$0 is deprecated please use { mmap_file_perms ioctl lock } instead.')')
#
# Permissions for reading and appending to files.
#
-define(`ra_file_perms', `{ ioctl read getattr lock append } refpolicywarn(`$0 is deprecated please use { read_file_perms append_file_perms } instead.')')
+define(`ra_file_perms', `{ open ioctl read getattr lock append } refpolicywarn(`$0 is deprecated please use { read_file_perms append_file_perms } instead.')')
#
# Permissions for linking, unlinking and renaming files.
@@ -89,17 +89,12 @@ define(`create_lnk_perms', `{ create read getattr setattr link unlink rename } r
#
# Permissions for reading directories and their attributes.
#
-define(`r_dir_perms', `{ read getattr lock search ioctl } refpolicywarn(`$0 is deprecated please use list_dir_perms instead.')')
-
-#
-# Permissions for reading and writing directories and their attributes.
-#
-define(`rw_dir_perms', `{ read getattr lock search ioctl add_name remove_name write }')
+define(`r_dir_perms', `{ open read getattr lock search ioctl } refpolicywarn(`$0 is deprecated please use list_dir_perms instead.')')
#
# Permissions for reading and adding names to directories.
#
-define(`ra_dir_perms', `{ read getattr lock search ioctl add_name write } refpolicywarn(`$0 is deprecated please use { list_dir_perms add_entry_dir_perms } instead.')')
+define(`ra_dir_perms', `{ open read getattr lock search ioctl add_name write } refpolicywarn(`$0 is deprecated please use { list_dir_perms add_entry_dir_perms } instead.')')
#
@@ -187,9 +182,10 @@ define(`create_shm_perms', `{ associate getattr setattr create destroy read writ
define(`getattr_dir_perms',`{ getattr }')
define(`setattr_dir_perms',`{ setattr }')
define(`search_dir_perms',`{ getattr search }')
-define(`list_dir_perms',`{ getattr search read lock ioctl }')
-define(`add_entry_dir_perms',`{ getattr search lock ioctl write add_name }')
-define(`del_entry_dir_perms',`{ getattr search lock ioctl write remove_name }')
+define(`list_dir_perms',`{ getattr search open read lock ioctl }')
+define(`add_entry_dir_perms',`{ getattr search open lock ioctl write add_name }')
+define(`del_entry_dir_perms',`{ getattr search open lock ioctl write remove_name }')
+define(`rw_dir_perms', `{ open read getattr lock search ioctl add_name remove_name write }')
define(`create_dir_perms',`{ getattr create }')
define(`rename_dir_perms',`{ getattr rename }')
define(`delete_dir_perms',`{ getattr rmdir }')
@@ -203,12 +199,12 @@ define(`relabel_dir_perms',`{ getattr relabelfrom relabelto }')
#
define(`getattr_file_perms',`{ getattr }')
define(`setattr_file_perms',`{ setattr }')
-define(`read_file_perms',`{ getattr read lock ioctl }')
-define(`mmap_file_perms',`{ getattr read execute ioctl }')
-define(`exec_file_perms',`{ getattr read execute execute_no_trans }')
-define(`append_file_perms',`{ getattr append lock ioctl }')
-define(`write_file_perms',`{ getattr write append lock ioctl }')
-define(`rw_file_perms',`{ getattr read write append ioctl lock }')
+define(`read_file_perms',`{ getattr open read lock ioctl }')
+define(`mmap_file_perms',`{ getattr open read execute ioctl }')
+define(`exec_file_perms',`{ getattr open read execute execute_no_trans }')
+define(`append_file_perms',`{ getattr open append lock ioctl }')
+define(`write_file_perms',`{ getattr open write append lock ioctl }')
+define(`rw_file_perms',`{ getattr open read write append ioctl lock }')
define(`create_file_perms',`{ getattr create open }')
define(`rename_file_perms',`{ getattr rename }')
define(`delete_file_perms',`{ getattr unlink }')
@@ -239,10 +235,10 @@ define(`relabel_lnk_file_perms',`{ getattr relabelfrom relabelto }')
#
define(`getattr_fifo_file_perms',`{ getattr }')
define(`setattr_fifo_file_perms',`{ setattr }')
-define(`read_fifo_file_perms',`{ getattr read lock ioctl }')
-define(`append_fifo_file_perms',`{ getattr append lock ioctl }')
-define(`write_fifo_file_perms',`{ getattr write append lock ioctl }')
-define(`rw_fifo_file_perms',`{ getattr read write append ioctl lock }')
+define(`read_fifo_file_perms',`{ getattr open read lock ioctl }')
+define(`append_fifo_file_perms',`{ getattr open append lock ioctl }')
+define(`write_fifo_file_perms',`{ getattr open write append lock ioctl }')
+define(`rw_fifo_file_perms',`{ getattr open read write append ioctl lock }')
define(`create_fifo_file_perms',`{ getattr create open }')
define(`rename_fifo_file_perms',`{ getattr rename }')
define(`delete_fifo_file_perms',`{ getattr unlink }')
@@ -272,10 +268,10 @@ define(`relabel_sock_file_perms',`{ getattr relabelfrom relabelto }')
#
define(`getattr_blk_file_perms',`{ getattr }')
define(`setattr_blk_file_perms',`{ setattr }')
-define(`read_blk_file_perms',`{ getattr read lock ioctl }')
-define(`append_blk_file_perms',`{ getattr append lock ioctl }')
-define(`write_blk_file_perms',`{ getattr write append lock ioctl }')
-define(`rw_blk_file_perms',`{ getattr read write append ioctl lock }')
+define(`read_blk_file_perms',`{ getattr open read lock ioctl }')
+define(`append_blk_file_perms',`{ getattr open append lock ioctl }')
+define(`write_blk_file_perms',`{ getattr open write append lock ioctl }')
+define(`rw_blk_file_perms',`{ getattr open read write append ioctl lock }')
define(`create_blk_file_perms',`{ getattr create }')
define(`rename_blk_file_perms',`{ getattr rename }')
define(`delete_blk_file_perms',`{ getattr unlink }')
@@ -289,10 +285,10 @@ define(`relabel_blk_file_perms',`{ getattr relabelfrom relabelto }')
#
define(`getattr_chr_file_perms',`{ getattr }')
define(`setattr_chr_file_perms',`{ setattr }')
-define(`read_chr_file_perms',`{ getattr read lock ioctl }')
-define(`append_chr_file_perms',`{ getattr append lock ioctl }')
-define(`write_chr_file_perms',`{ getattr write append lock ioctl }')
-define(`rw_chr_file_perms',`{ getattr read write append ioctl lock }')
+define(`read_chr_file_perms',`{ getattr open read lock ioctl }')
+define(`append_chr_file_perms',`{ getattr open append lock ioctl }')
+define(`write_chr_file_perms',`{ getattr open write append lock ioctl }')
+define(`rw_chr_file_perms',`{ getattr open read write append ioctl lock }')
define(`create_chr_file_perms',`{ getattr create }')
define(`rename_chr_file_perms',`{ getattr rename }')
define(`delete_chr_file_perms',`{ getattr unlink }')
@@ -309,7 +305,7 @@ define(`relabel_chr_file_perms',`{ getattr relabelfrom relabelto }')
#
# Use (read and write) terminals
#
-define(`rw_term_perms', `{ getattr read write ioctl }')
+define(`rw_term_perms', `{ getattr open read write ioctl }')
#
# Sockets