diff --git a/policy/modules/services/cachefilesd.te b/policy/modules/services/cachefilesd.te index d9bf917..d0a0063 100644 --- a/policy/modules/services/cachefilesd.te +++ b/policy/modules/services/cachefilesd.te @@ -102,8 +102,8 @@ files_create_as_is_all_files(cachefilesd_t) allow cachefilesd_t cachefiles_dev_t:chr_file rw_file_perms; # Allow access to cache superstructure -allow cachefilesd_t cachefiles_var_t:dir { rw_dir_perms rmdir }; -allow cachefilesd_t cachefiles_var_t:file { getattr rename unlink }; +allow cachefilesd_t cachefiles_var_t:dir { rw_dir_perms delete_dir_perms }; +allow cachefilesd_t cachefiles_var_t:file { rename delete_file_perms}; # Permit statfs on the backing filesystem fs_getattr_xattr_fs(cachefilesd_t) diff --git a/policy/modules/services/canna.te b/policy/modules/services/canna.te index a0dfd2f..d60e2bf 100644 --- a/policy/modules/services/canna.te +++ b/policy/modules/services/canna.te @@ -34,7 +34,7 @@ allow canna_t self:unix_dgram_socket create_stream_socket_perms; allow canna_t self:tcp_socket create_stream_socket_perms; manage_files_pattern(canna_t, canna_log_t, canna_log_t) -allow canna_t canna_log_t:dir setattr; +allow canna_t canna_log_t:dir setattr_dir_perms; logging_log_filetrans(canna_t, canna_log_t, { file dir }) manage_dirs_pattern(canna_t, canna_var_lib_t, canna_var_lib_t) diff --git a/policy/modules/services/ccs.te b/policy/modules/services/ccs.te index bffe6b6..112dc77 100644 --- a/policy/modules/services/ccs.te +++ b/policy/modules/services/ccs.te @@ -61,7 +61,7 @@ manage_dirs_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t) manage_files_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t) files_var_lib_filetrans(ccs_t, ccs_var_lib_t, { file dir }) -allow ccs_t ccs_var_log_t:dir setattr; +allow ccs_t ccs_var_log_t:dir setattr_dir_perms; manage_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t) manage_sock_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t) logging_log_filetrans(ccs_t, ccs_var_log_t, { sock_file file dir }) diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te index 16598a4..ae2656a 100644 --- a/policy/modules/services/clamav.te +++ b/policy/modules/services/clamav.te @@ -182,7 +182,7 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file) # log files (own logfiles only) manage_files_pattern(freshclam_t, freshclam_var_log_t, freshclam_var_log_t) -allow freshclam_t freshclam_var_log_t:dir setattr; +allow freshclam_t freshclam_var_log_t:dir setattr_dir_perms; read_files_pattern(freshclam_t, clamd_var_log_t, clamd_var_log_t) logging_log_filetrans(freshclam_t, freshclam_var_log_t, file) diff --git a/policy/modules/services/courier.te b/policy/modules/services/courier.te index 37f4810..cc93958 100644 --- a/policy/modules/services/courier.te +++ b/policy/modules/services/courier.te @@ -93,7 +93,7 @@ allow courier_pop_t courier_authdaemon_t:process sigchld; allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms; # inherits file handle - should it? -allow courier_pop_t courier_var_lib_t:file { read write }; +allow courier_pop_t courier_var_lib_t:file rw_inherited_file_perms; miscfiles_read_localization(courier_pop_t) diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te index 45f5a6f..eb079a2 100644 --- a/policy/modules/services/cron.te +++ b/policy/modules/services/cron.te @@ -128,7 +128,7 @@ files_pid_file(system_cronjob_var_run_t) # # Allow our crontab domain to unlink a user cron spool file. -allow admin_crontab_t user_cron_spool_t:file { getattr read unlink }; +allow admin_crontab_t user_cron_spool_t:file { read_file_perms delete_file_perms }; # Manipulate other users crontab. selinux_get_fs_mount(admin_crontab_t) @@ -351,7 +351,7 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file) # This is to handle /var/lib/misc directory. Used currently # by prelink var/lib files for cron -allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabelfrom relabelto }; +allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabel_file_perms }; files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file) allow system_cronjob_t cron_var_run_t:file manage_file_perms; diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te index 11e74af..6160cea 100644 --- a/policy/modules/services/cups.te +++ b/policy/modules/services/cups.te @@ -149,7 +149,7 @@ manage_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t) manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t) files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file }) -allow cupsd_t cupsd_var_run_t:dir setattr; +allow cupsd_t cupsd_var_run_t:dir setattr_dir_perms; manage_dirs_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) manage_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) manage_sock_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) @@ -163,7 +163,7 @@ read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t) allow cupsd_t hplip_var_run_t:file read_file_perms; stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t) -allow cupsd_t ptal_var_run_t : sock_file setattr; +allow cupsd_t ptal_var_run_t : sock_file setattr_sock_file_perms; kernel_read_system_state(cupsd_t) kernel_read_network_state(cupsd_t) diff --git a/policy/modules/services/fail2ban.te b/policy/modules/services/fail2ban.te index fd30b02..e09b9df 100644 --- a/policy/modules/services/fail2ban.te +++ b/policy/modules/services/fail2ban.te @@ -36,7 +36,7 @@ allow fail2ban_t self:unix_dgram_socket create_socket_perms; allow fail2ban_t self:tcp_socket create_stream_socket_perms; # log files -allow fail2ban_t fail2ban_log_t:dir setattr; +allow fail2ban_t fail2ban_log_t:dir setattr_dir_perms; manage_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t) logging_log_filetrans(fail2ban_t, fail2ban_log_t, file) diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te index 34a0014..6033c3b 100644 --- a/policy/modules/services/ftp.te +++ b/policy/modules/services/ftp.te @@ -187,7 +187,7 @@ files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir} ) # it can stat the socket to perform access control decisions, # since getsockopt with SO_PEERCRED is not available on all # proftpd-supported OSs -allow ftpd_t ftpdctl_tmp_t:sock_file { getattr unlink }; +allow ftpd_t ftpdctl_tmp_t:sock_file delete_sock_file_perms; # Create and modify /var/log/xferlog. manage_files_pattern(ftpd_t, xferlog_t, xferlog_t) @@ -388,7 +388,7 @@ stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t) # ftpdctl creates a socket so that the daemon can perform # access control decisions (see comments in ftpd_t rules above) -allow ftpdctl_t ftpdctl_tmp_t:sock_file { create setattr }; +allow ftpdctl_t ftpdctl_tmp_t:sock_file manage_sock_file_perms; files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, sock_file) # Allow ftpdctl to read config files diff --git a/policy/modules/services/inn.te b/policy/modules/services/inn.te index 05119f7..61ea05e 100644 --- a/policy/modules/services/inn.te +++ b/policy/modules/services/inn.te @@ -46,7 +46,7 @@ read_lnk_files_pattern(innd_t, innd_etc_t, innd_etc_t) can_exec(innd_t, innd_exec_t) manage_files_pattern(innd_t, innd_log_t, innd_log_t) -allow innd_t innd_log_t:dir setattr; +allow innd_t innd_log_t:dir setattr_dir_perms; logging_log_filetrans(innd_t, innd_log_t, file) manage_dirs_pattern(innd_t, innd_var_lib_t, innd_var_lib_t) diff --git a/policy/modules/services/kerberos.te b/policy/modules/services/kerberos.te index 225e33f..4e39714 100644 --- a/policy/modules/services/kerberos.te +++ b/policy/modules/services/kerberos.te @@ -93,9 +93,9 @@ allow kadmind_t krb5_conf_t:file read_file_perms; dontaudit kadmind_t krb5_conf_t:file write; read_files_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_conf_t) -dontaudit kadmind_t krb5kdc_conf_t:file { write setattr }; +dontaudit kadmind_t krb5kdc_conf_t:file { write_file_perms setattr_file_perms }; -allow kadmind_t krb5kdc_lock_t:file { rw_file_perms setattr }; +allow kadmind_t krb5kdc_lock_t:file { rw_file_perms setattr_file_perms }; allow kadmind_t krb5kdc_principal_t:file manage_file_perms; filetrans_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_principal_t, file) @@ -197,7 +197,7 @@ can_exec(krb5kdc_t, krb5kdc_exec_t) read_files_pattern(krb5kdc_t, krb5kdc_conf_t, krb5kdc_conf_t) dontaudit krb5kdc_t krb5kdc_conf_t:file write; -allow krb5kdc_t krb5kdc_lock_t:file { rw_file_perms setattr }; +allow krb5kdc_t krb5kdc_lock_t:file { rw_file_perms setattr_file_perms }; allow krb5kdc_t krb5kdc_log_t:file manage_file_perms; logging_log_filetrans(krb5kdc_t, krb5kdc_log_t, file) diff --git a/policy/modules/services/lpd.te b/policy/modules/services/lpd.te index 4d31118..2727020 100644 --- a/policy/modules/services/lpd.te +++ b/policy/modules/services/lpd.te @@ -80,7 +80,7 @@ rw_files_pattern(checkpc_t, print_spool_t, print_spool_t) delete_files_pattern(checkpc_t, print_spool_t, print_spool_t) files_search_spool(checkpc_t) -allow checkpc_t printconf_t:file getattr; +allow checkpc_t printconf_t:file getattr_file_perms; allow checkpc_t printconf_t:dir list_dir_perms; kernel_read_system_state(checkpc_t) @@ -284,8 +284,8 @@ userdom_read_user_tmp_files(lpr_t) tunable_policy(`use_lpd_server',` # lpr can run in lightweight mode, without a local print spooler. - allow lpr_t lpd_var_run_t:dir search; - allow lpr_t lpd_var_run_t:sock_file write; + allow lpr_t lpd_var_run_t:dir search_dir_perms; + allow lpr_t lpd_var_run_t:sock_file write_sock_file_perms; files_read_var_files(lpr_t) # Connect to lpd via a Unix domain socket. diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te index b370d53..5e96c0a 100644 --- a/policy/modules/services/mysql.te +++ b/policy/modules/services/mysql.te @@ -69,7 +69,7 @@ manage_lnk_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) files_var_lib_filetrans(mysqld_t, mysqld_db_t, { dir file lnk_file }) allow mysqld_t mysqld_etc_t:file read_file_perms; -allow mysqld_t mysqld_etc_t:lnk_file { getattr read }; +allow mysqld_t mysqld_etc_t:lnk_file read_lnk_file_perms; allow mysqld_t mysqld_etc_t:dir list_dir_perms; allow mysqld_t mysqld_log_t:file manage_file_perms;