diff --git a/policy/modules/services/cachefilesd.te b/policy/modules/services/cachefilesd.te
index d9bf917..d0a0063 100644
--- a/policy/modules/services/cachefilesd.te
+++ b/policy/modules/services/cachefilesd.te
@@ -102,8 +102,8 @@ files_create_as_is_all_files(cachefilesd_t)
allow cachefilesd_t cachefiles_dev_t:chr_file rw_file_perms;
# Allow access to cache superstructure
-allow cachefilesd_t cachefiles_var_t:dir { rw_dir_perms rmdir };
-allow cachefilesd_t cachefiles_var_t:file { getattr rename unlink };
+allow cachefilesd_t cachefiles_var_t:dir { rw_dir_perms delete_dir_perms };
+allow cachefilesd_t cachefiles_var_t:file { rename delete_file_perms};
# Permit statfs on the backing filesystem
fs_getattr_xattr_fs(cachefilesd_t)
diff --git a/policy/modules/services/canna.te b/policy/modules/services/canna.te
index a0dfd2f..d60e2bf 100644
--- a/policy/modules/services/canna.te
+++ b/policy/modules/services/canna.te
@@ -34,7 +34,7 @@ allow canna_t self:unix_dgram_socket create_stream_socket_perms;
allow canna_t self:tcp_socket create_stream_socket_perms;
manage_files_pattern(canna_t, canna_log_t, canna_log_t)
-allow canna_t canna_log_t:dir setattr;
+allow canna_t canna_log_t:dir setattr_dir_perms;
logging_log_filetrans(canna_t, canna_log_t, { file dir })
manage_dirs_pattern(canna_t, canna_var_lib_t, canna_var_lib_t)
diff --git a/policy/modules/services/ccs.te b/policy/modules/services/ccs.te
index bffe6b6..112dc77 100644
--- a/policy/modules/services/ccs.te
+++ b/policy/modules/services/ccs.te
@@ -61,7 +61,7 @@ manage_dirs_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t)
manage_files_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t)
files_var_lib_filetrans(ccs_t, ccs_var_lib_t, { file dir })
-allow ccs_t ccs_var_log_t:dir setattr;
+allow ccs_t ccs_var_log_t:dir setattr_dir_perms;
manage_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
manage_sock_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
logging_log_filetrans(ccs_t, ccs_var_log_t, { sock_file file dir })
diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te
index 16598a4..ae2656a 100644
--- a/policy/modules/services/clamav.te
+++ b/policy/modules/services/clamav.te
@@ -182,7 +182,7 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file)
# log files (own logfiles only)
manage_files_pattern(freshclam_t, freshclam_var_log_t, freshclam_var_log_t)
-allow freshclam_t freshclam_var_log_t:dir setattr;
+allow freshclam_t freshclam_var_log_t:dir setattr_dir_perms;
read_files_pattern(freshclam_t, clamd_var_log_t, clamd_var_log_t)
logging_log_filetrans(freshclam_t, freshclam_var_log_t, file)
diff --git a/policy/modules/services/courier.te b/policy/modules/services/courier.te
index 37f4810..cc93958 100644
--- a/policy/modules/services/courier.te
+++ b/policy/modules/services/courier.te
@@ -93,7 +93,7 @@ allow courier_pop_t courier_authdaemon_t:process sigchld;
allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms;
# inherits file handle - should it?
-allow courier_pop_t courier_var_lib_t:file { read write };
+allow courier_pop_t courier_var_lib_t:file rw_inherited_file_perms;
miscfiles_read_localization(courier_pop_t)
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
index 45f5a6f..eb079a2 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -128,7 +128,7 @@ files_pid_file(system_cronjob_var_run_t)
#
# Allow our crontab domain to unlink a user cron spool file.
-allow admin_crontab_t user_cron_spool_t:file { getattr read unlink };
+allow admin_crontab_t user_cron_spool_t:file { read_file_perms delete_file_perms };
# Manipulate other users crontab.
selinux_get_fs_mount(admin_crontab_t)
@@ -351,7 +351,7 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file)
# This is to handle /var/lib/misc directory. Used currently
# by prelink var/lib files for cron
-allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabelfrom relabelto };
+allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabel_file_perms };
files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file)
allow system_cronjob_t cron_var_run_t:file manage_file_perms;
diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te
index 11e74af..6160cea 100644
--- a/policy/modules/services/cups.te
+++ b/policy/modules/services/cups.te
@@ -149,7 +149,7 @@ manage_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file })
-allow cupsd_t cupsd_var_run_t:dir setattr;
+allow cupsd_t cupsd_var_run_t:dir setattr_dir_perms;
manage_dirs_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
manage_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
manage_sock_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
@@ -163,7 +163,7 @@ read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t)
allow cupsd_t hplip_var_run_t:file read_file_perms;
stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
-allow cupsd_t ptal_var_run_t : sock_file setattr;
+allow cupsd_t ptal_var_run_t : sock_file setattr_sock_file_perms;
kernel_read_system_state(cupsd_t)
kernel_read_network_state(cupsd_t)
diff --git a/policy/modules/services/fail2ban.te b/policy/modules/services/fail2ban.te
index fd30b02..e09b9df 100644
--- a/policy/modules/services/fail2ban.te
+++ b/policy/modules/services/fail2ban.te
@@ -36,7 +36,7 @@ allow fail2ban_t self:unix_dgram_socket create_socket_perms;
allow fail2ban_t self:tcp_socket create_stream_socket_perms;
# log files
-allow fail2ban_t fail2ban_log_t:dir setattr;
+allow fail2ban_t fail2ban_log_t:dir setattr_dir_perms;
manage_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
logging_log_filetrans(fail2ban_t, fail2ban_log_t, file)
diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
index 34a0014..6033c3b 100644
--- a/policy/modules/services/ftp.te
+++ b/policy/modules/services/ftp.te
@@ -187,7 +187,7 @@ files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir} )
# it can stat the socket to perform access control decisions,
# since getsockopt with SO_PEERCRED is not available on all
# proftpd-supported OSs
-allow ftpd_t ftpdctl_tmp_t:sock_file { getattr unlink };
+allow ftpd_t ftpdctl_tmp_t:sock_file delete_sock_file_perms;
# Create and modify /var/log/xferlog.
manage_files_pattern(ftpd_t, xferlog_t, xferlog_t)
@@ -388,7 +388,7 @@ stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
# ftpdctl creates a socket so that the daemon can perform
# access control decisions (see comments in ftpd_t rules above)
-allow ftpdctl_t ftpdctl_tmp_t:sock_file { create setattr };
+allow ftpdctl_t ftpdctl_tmp_t:sock_file manage_sock_file_perms;
files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, sock_file)
# Allow ftpdctl to read config files
diff --git a/policy/modules/services/inn.te b/policy/modules/services/inn.te
index 05119f7..61ea05e 100644
--- a/policy/modules/services/inn.te
+++ b/policy/modules/services/inn.te
@@ -46,7 +46,7 @@ read_lnk_files_pattern(innd_t, innd_etc_t, innd_etc_t)
can_exec(innd_t, innd_exec_t)
manage_files_pattern(innd_t, innd_log_t, innd_log_t)
-allow innd_t innd_log_t:dir setattr;
+allow innd_t innd_log_t:dir setattr_dir_perms;
logging_log_filetrans(innd_t, innd_log_t, file)
manage_dirs_pattern(innd_t, innd_var_lib_t, innd_var_lib_t)
diff --git a/policy/modules/services/kerberos.te b/policy/modules/services/kerberos.te
index 225e33f..4e39714 100644
--- a/policy/modules/services/kerberos.te
+++ b/policy/modules/services/kerberos.te
@@ -93,9 +93,9 @@ allow kadmind_t krb5_conf_t:file read_file_perms;
dontaudit kadmind_t krb5_conf_t:file write;
read_files_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_conf_t)
-dontaudit kadmind_t krb5kdc_conf_t:file { write setattr };
+dontaudit kadmind_t krb5kdc_conf_t:file { write_file_perms setattr_file_perms };
-allow kadmind_t krb5kdc_lock_t:file { rw_file_perms setattr };
+allow kadmind_t krb5kdc_lock_t:file { rw_file_perms setattr_file_perms };
allow kadmind_t krb5kdc_principal_t:file manage_file_perms;
filetrans_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_principal_t, file)
@@ -197,7 +197,7 @@ can_exec(krb5kdc_t, krb5kdc_exec_t)
read_files_pattern(krb5kdc_t, krb5kdc_conf_t, krb5kdc_conf_t)
dontaudit krb5kdc_t krb5kdc_conf_t:file write;
-allow krb5kdc_t krb5kdc_lock_t:file { rw_file_perms setattr };
+allow krb5kdc_t krb5kdc_lock_t:file { rw_file_perms setattr_file_perms };
allow krb5kdc_t krb5kdc_log_t:file manage_file_perms;
logging_log_filetrans(krb5kdc_t, krb5kdc_log_t, file)
diff --git a/policy/modules/services/lpd.te b/policy/modules/services/lpd.te
index 4d31118..2727020 100644
--- a/policy/modules/services/lpd.te
+++ b/policy/modules/services/lpd.te
@@ -80,7 +80,7 @@ rw_files_pattern(checkpc_t, print_spool_t, print_spool_t)
delete_files_pattern(checkpc_t, print_spool_t, print_spool_t)
files_search_spool(checkpc_t)
-allow checkpc_t printconf_t:file getattr;
+allow checkpc_t printconf_t:file getattr_file_perms;
allow checkpc_t printconf_t:dir list_dir_perms;
kernel_read_system_state(checkpc_t)
@@ -284,8 +284,8 @@ userdom_read_user_tmp_files(lpr_t)
tunable_policy(`use_lpd_server',`
# lpr can run in lightweight mode, without a local print spooler.
- allow lpr_t lpd_var_run_t:dir search;
- allow lpr_t lpd_var_run_t:sock_file write;
+ allow lpr_t lpd_var_run_t:dir search_dir_perms;
+ allow lpr_t lpd_var_run_t:sock_file write_sock_file_perms;
files_read_var_files(lpr_t)
# Connect to lpd via a Unix domain socket.
diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te
index b370d53..5e96c0a 100644
--- a/policy/modules/services/mysql.te
+++ b/policy/modules/services/mysql.te
@@ -69,7 +69,7 @@ manage_lnk_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
files_var_lib_filetrans(mysqld_t, mysqld_db_t, { dir file lnk_file })
allow mysqld_t mysqld_etc_t:file read_file_perms;
-allow mysqld_t mysqld_etc_t:lnk_file { getattr read };
+allow mysqld_t mysqld_etc_t:lnk_file read_lnk_file_perms;
allow mysqld_t mysqld_etc_t:dir list_dir_perms;
allow mysqld_t mysqld_log_t:file manage_file_perms;