diff --git a/refpolicy/policy/modules/admin/acct.if b/refpolicy/policy/modules/admin/acct.if index fe69889..87aaa03 100644 --- a/refpolicy/policy/modules/admin/acct.if +++ b/refpolicy/policy/modules/admin/acct.if @@ -11,9 +11,6 @@ interface(`acct_domtrans',` gen_require(` type acct_t, acct_exec_t; - class process sigchld; - class fd use; - class fifo_file rw_file_perms; ') corecmd_search_sbin($1) @@ -72,9 +69,6 @@ interface(`acct_exec_data',` interface(`acct_manage_data',` gen_require(` type acct_data_t; - class dir rw_dir_perms; - class file create_file_perms; - class lnk_file create_lnk_perms; ') files_search_var($1) diff --git a/refpolicy/policy/modules/admin/consoletype.if b/refpolicy/policy/modules/admin/consoletype.if index 42a741b..eb88ef3 100644 --- a/refpolicy/policy/modules/admin/consoletype.if +++ b/refpolicy/policy/modules/admin/consoletype.if @@ -13,9 +13,6 @@ interface(`consoletype_domtrans',` gen_require(` type consoletype_t, consoletype_exec_t; - class process sigchld; - class fd use; - class fifo_file rw_file_perms; ') corecmd_search_sbin($1) diff --git a/refpolicy/policy/modules/admin/kudzu.if b/refpolicy/policy/modules/admin/kudzu.if index f40c5f3..f81349f 100644 --- a/refpolicy/policy/modules/admin/kudzu.if +++ b/refpolicy/policy/modules/admin/kudzu.if @@ -11,9 +11,6 @@ interface(`kudzu_domtrans',` gen_require(` type kudzu_t, kudzu_exec_t; - class process sigchld; - class fd use; - class fifo_file rw_file_perms; ') domain_auto_trans($1,kudzu_exec_t,kudzu_t) @@ -42,7 +39,6 @@ interface(`kudzu_domtrans',` interface(`kudzu_run',` gen_require(` type kudzu_t; - class chr_file rw_term_perms; ') kudzu_domtrans($1) diff --git a/refpolicy/policy/modules/admin/netutils.if b/refpolicy/policy/modules/admin/netutils.if index 1738f27..9e9b2dd 100644 --- a/refpolicy/policy/modules/admin/netutils.if +++ b/refpolicy/policy/modules/admin/netutils.if @@ -11,9 +11,6 @@ interface(`netutils_domtrans',` gen_require(` type netutils_t, netutils_exec_t; - class process sigchld; - class fd use; - class fifo_file rw_file_perms; ') domain_auto_trans($1,netutils_exec_t,netutils_t) @@ -42,7 +39,6 @@ interface(`netutils_domtrans',` interface(`netutils_run',` gen_require(` type netutils_t; - class chr_file rw_term_perms; ') netutils_domtrans($1) @@ -77,9 +73,6 @@ interface(`netutils_exec',` interface(`netutils_domtrans_ping',` gen_require(` type ping_t, ping_exec_t; - class process sigchld; - class fd use; - class fifo_file rw_file_perms; ') domain_auto_trans($1,ping_exec_t,ping_t) @@ -171,9 +164,6 @@ interface(`netutils_exec_ping',` interface(`netutils_domtrans_traceroute',` gen_require(` type traceroute_t, traceroute_exec_t; - class process sigchld; - class fd use; - class fifo_file rw_file_perms; ') domain_auto_trans($1,traceroute_exec_t,traceroute_t) @@ -202,7 +192,6 @@ interface(`netutils_domtrans_traceroute',` interface(`netutils_run_traceroute',` gen_require(` type traceroute_t; - class chr_file rw_term_perms; ') netutils_domtrans_traceroute($1) diff --git a/refpolicy/policy/modules/admin/quota.if b/refpolicy/policy/modules/admin/quota.if index ed0e637..fd42285 100644 --- a/refpolicy/policy/modules/admin/quota.if +++ b/refpolicy/policy/modules/admin/quota.if @@ -11,9 +11,6 @@ interface(`quota_domtrans',` gen_require(` type quota_t, quota_exec_t; - class process sigchld; - class fd use; - class fifo_file rw_file_perms; ') domain_auto_trans($1,quota_exec_t,quota_t) @@ -42,7 +39,6 @@ interface(`quota_domtrans',` interface(`quota_run',` gen_require(` type quota_t; - class chr_file rw_term_perms; ') quota_domtrans($1) @@ -62,7 +58,6 @@ interface(`quota_run',` interface(`quota_dontaudit_getattr_db',` gen_require(` type quota_db_t; - class file getattr; ') dontaudit $1 quota_db_t:file getattr; @@ -71,8 +66,6 @@ interface(`quota_dontaudit_getattr_db',` interface(`quota_manage_flags',` gen_require(` type quota_flag_t; - class dir rw_dir_perms; - class file create_file_perms; ') files_search_var_lib($1) diff --git a/refpolicy/policy/modules/admin/rpm.if b/refpolicy/policy/modules/admin/rpm.if index af76502..6fcb7fc 100644 --- a/refpolicy/policy/modules/admin/rpm.if +++ b/refpolicy/policy/modules/admin/rpm.if @@ -11,9 +11,6 @@ interface(`rpm_domtrans',` gen_require(` type rpm_t, rpm_exec_t; - class process sigchld; - class fd use; - class fifo_file rw_file_perms; ') files_search_usr($1) @@ -65,7 +62,6 @@ interface(`rpm_script_domtrans',` interface(`rpm_run',` gen_require(` type rpm_t, rpm_script_t; - class chr_file rw_term_perms; ') rpm_domtrans($1) @@ -86,7 +82,6 @@ interface(`rpm_run',` interface(`rpm_use_fd',` gen_require(` type rpm_t; - class fd use; ') allow $1 rpm_t:fd use; @@ -103,7 +98,6 @@ interface(`rpm_use_fd',` interface(`rpm_read_pipe',` gen_require(` type rpm_t; - class fifo_file r_file_perms; ') allow $1 rpm_t:fifo_file r_file_perms; @@ -120,7 +114,6 @@ interface(`rpm_read_pipe',` interface(`rpm_rw_pipe',` gen_require(` type rpm_t; - class fifo_file rw_file_perms; ') allow $1 rpm_t:fifo_file rw_file_perms; @@ -137,7 +130,6 @@ interface(`rpm_rw_pipe',` interface(`rpm_manage_log',` gen_require(` type rpm_log_t; - class file create_file_perms; ') logging_rw_log_dir($1) @@ -155,7 +147,6 @@ interface(`rpm_manage_log',` interface(`rpm_use_script_fd',` gen_require(` type rpm_script_t; - class fd use; ') allow $1 rpm_script_t:fd use; diff --git a/refpolicy/policy/modules/admin/usermanage.if b/refpolicy/policy/modules/admin/usermanage.if index 77d92bc..533d203 100644 --- a/refpolicy/policy/modules/admin/usermanage.if +++ b/refpolicy/policy/modules/admin/usermanage.if @@ -11,9 +11,6 @@ interface(`usermanage_domtrans_chfn',` gen_require(` type chfn_t, chfn_exec_t; - class process sigchld; - class fd use; - class fifo_file rw_file_perms; ') files_search_usr($1) @@ -44,7 +41,6 @@ interface(`usermanage_domtrans_chfn',` interface(`usermanage_run_chfn',` gen_require(` type chfn_t; - class chr_file rw_term_perms; ') usermanage_domtrans_chfn($1) @@ -63,9 +59,6 @@ interface(`usermanage_run_chfn',` interface(`usermanage_domtrans_groupadd',` gen_require(` type groupadd_t, groupadd_exec_t; - class process sigchld; - class fd use; - class fifo_file rw_file_perms; ') files_search_usr($1) @@ -96,7 +89,6 @@ interface(`usermanage_domtrans_groupadd',` interface(`usermanage_run_groupadd',` gen_require(` type groupadd_t; - class chr_file rw_term_perms; ') usermanage_domtrans_groupadd($1) @@ -115,9 +107,6 @@ interface(`usermanage_run_groupadd',` interface(`usermanage_domtrans_passwd',` gen_require(` type passwd_t, passwd_exec_t; - class process sigchld; - class fd use; - class fifo_file rw_file_perms; ') files_search_usr($1) @@ -148,7 +137,6 @@ interface(`usermanage_domtrans_passwd',` interface(`usermanage_run_passwd',` gen_require(` type passwd_t; - class chr_file rw_term_perms; ') usermanage_domtrans_passwd($1) @@ -217,9 +205,6 @@ interface(`usermanage_run_admin_passwd',` interface(`usermanage_domtrans_useradd',` gen_require(` type useradd_t, useradd_exec_t; - class process sigchld; - class fd use; - class fifo_file rw_file_perms; ') files_search_usr($1) @@ -250,7 +235,6 @@ interface(`usermanage_domtrans_useradd',` interface(`usermanage_run_useradd',` gen_require(` type useradd_t; - class chr_file rw_term_perms; ') usermanage_domtrans_useradd($1) @@ -269,7 +253,6 @@ interface(`usermanage_run_useradd',` interface(`usermanage_read_crack_db',` gen_require(` type crack_db_t; - class file r_file_perms; ') allow $1 crack_db_t:file r_file_perms; diff --git a/refpolicy/policy/modules/kernel/corecommands.if b/refpolicy/policy/modules/kernel/corecommands.if index 8e9100a..0eff2f0 100644 --- a/refpolicy/policy/modules/kernel/corecommands.if +++ b/refpolicy/policy/modules/kernel/corecommands.if @@ -59,7 +59,6 @@ interface(`corecmd_shell_entry_type',` interface(`corecmd_search_bin',` gen_require(` type bin_t; - class dir search; ') allow $1 bin_t:dir search; @@ -72,7 +71,6 @@ interface(`corecmd_search_bin',` interface(`corecmd_list_bin',` gen_require(` type bin_t; - class dir r_dir_perms; ') allow $1 bin_t:dir r_dir_perms; @@ -89,7 +87,6 @@ interface(`corecmd_list_bin',` interface(`corecmd_getattr_bin_file',` gen_require(` type bin_t; - class file getattr; ') allow $1 bin_t:file getattr; @@ -106,8 +103,6 @@ interface(`corecmd_getattr_bin_file',` interface(`corecmd_read_bin_file',` gen_require(` type bin_t; - class dir search; - class file r_file_perms; ') allow $1 bin_t:dir search; @@ -125,8 +120,6 @@ interface(`corecmd_read_bin_file',` interface(`corecmd_read_bin_symlink',` gen_require(` type bin_t; - class dir search; - class lnk_file r_file_perms; ') allow $1 bin_t:dir search; @@ -144,8 +137,6 @@ interface(`corecmd_read_bin_symlink',` interface(`corecmd_read_bin_pipe',` gen_require(` type bin_t; - class dir search; - class fifo_file r_file_perms; ') allow $1 bin_t:dir search; @@ -163,8 +154,6 @@ interface(`corecmd_read_bin_pipe',` interface(`corecmd_read_bin_socket',` gen_require(` type bin_t; - class dir search; - class sock_file r_file_perms; ') allow $1 bin_t:dir search; @@ -178,8 +167,6 @@ interface(`corecmd_read_bin_socket',` interface(`corecmd_exec_bin',` gen_require(` type bin_t; - class dir r_dir_perms; - class lnk_file r_file_perms; ') allow $1 bin_t:dir r_dir_perms; @@ -357,7 +344,6 @@ interface(`corecmd_dontaudit_search_sbin',` interface(`corecmd_list_sbin',` gen_require(` type sbin_t; - class dir r_dir_perms; ') allow $1 sbin_t:dir r_dir_perms; @@ -370,7 +356,6 @@ interface(`corecmd_list_sbin',` interface(`corecmd_getattr_sbin_file',` gen_require(` type sbin_t; - class file getattr; ') allow $1 sbin_t:file getattr; @@ -383,7 +368,6 @@ interface(`corecmd_getattr_sbin_file',` interface(`corecmd_dontaudit_getattr_sbin_file',` gen_require(` type sbin_t; - class file getattr; ') dontaudit $1 sbin_t:file getattr; @@ -400,8 +384,6 @@ interface(`corecmd_dontaudit_getattr_sbin_file',` interface(`corecmd_read_sbin_file',` gen_require(` type sbin_t; - class dir search; - class file r_file_perms; ') allow $1 sbin_t:dir search; @@ -419,8 +401,6 @@ interface(`corecmd_read_sbin_file',` interface(`corecmd_read_sbin_symlink',` gen_require(` type sbin_t; - class dir search; - class lnk_file r_file_perms; ') allow $1 sbin_t:dir search; @@ -438,8 +418,6 @@ interface(`corecmd_read_sbin_symlink',` interface(`corecmd_read_sbin_pipe',` gen_require(` type sbin_t; - class dir search; - class fifo_file r_file_perms; ') allow $1 sbin_t:dir search; @@ -457,8 +435,6 @@ interface(`corecmd_read_sbin_pipe',` interface(`corecmd_read_sbin_socket',` gen_require(` type sbin_t; - class dir search; - class sock_file r_file_perms; ') allow $1 sbin_t:dir search; @@ -472,8 +448,6 @@ interface(`corecmd_read_sbin_socket',` interface(`corecmd_exec_sbin',` gen_require(` type sbin_t; - class dir r_dir_perms; - class lnk_file r_file_perms; ') allow $1 sbin_t:dir r_dir_perms; @@ -568,8 +542,6 @@ interface(`corecmd_mmap_sbin_files',` interface(`corecmd_sbin_domtrans',` gen_require(` type sbin_t; - class dir search; - class lnk_file { getattr read }; ') allow $1 sbin_t:dir search; @@ -740,7 +712,6 @@ interface(`corecmd_shell_domtrans',` interface(`corecmd_exec_chroot',` gen_require(` type chroot_exec_t; - class capability sys_chroot; ') can_exec($1,chroot_exec_t) diff --git a/refpolicy/policy/modules/kernel/domain.if b/refpolicy/policy/modules/kernel/domain.if index 15fcea5..563a422 100644 --- a/refpolicy/policy/modules/kernel/domain.if +++ b/refpolicy/policy/modules/kernel/domain.if @@ -24,10 +24,6 @@ interface(`domain_base_type',` gen_require(` attribute domain; - class dir r_dir_perms; - class lnk_file r_file_perms; - class file rw_file_perms; - class process { fork sigchld }; ') # mark as a domain @@ -121,7 +117,6 @@ interface(`domain_type',` interface(`domain_entry_file',` gen_require(` attribute entry_type; - class file entrypoint; ') files_type($2) @@ -331,7 +326,6 @@ interface(`domain_cron_exemption_target',` interface(`domain_use_wide_inherit_fd',` gen_require(` attribute privfd; - class fd use; ') allow $1 privfd:fd use; @@ -344,7 +338,6 @@ interface(`domain_use_wide_inherit_fd',` interface(`domain_dontaudit_use_wide_inherit_fd',` gen_require(` attribute privfd; - class fd use; ') dontaudit $1 privfd:fd use; @@ -375,7 +368,6 @@ interface(`domain_sigchld_wide_inherit_fd',` interface(`domain_setpriority_all_domains',` gen_require(` attribute domain; - class process setsched; ') allow $1 domain:process setsched; @@ -392,7 +384,6 @@ interface(`domain_setpriority_all_domains',` interface(`domain_signal_all_domains',` gen_require(` attribute domain; - class process signal; ') allow $1 domain:process signal; @@ -409,7 +400,6 @@ interface(`domain_signal_all_domains',` interface(`domain_signull_all_domains',` gen_require(` attribute domain; - class process signull; ') allow $1 domain:process signull; @@ -426,7 +416,6 @@ interface(`domain_signull_all_domains',` interface(`domain_sigstop_all_domains',` gen_require(` attribute domain; - class process sigstop; ') allow $1 domain:process sigstop; @@ -443,7 +432,6 @@ interface(`domain_sigstop_all_domains',` interface(`domain_sigchld_all_domains',` gen_require(` attribute domain; - class process sigchld; ') allow $1 domain:process sigchld; @@ -460,8 +448,6 @@ interface(`domain_sigchld_all_domains',` interface(`domain_kill_all_domains',` gen_require(` attribute domain; - class process sigkill; - class capability kill; ') allow $1 domain:process sigkill; @@ -479,7 +465,6 @@ interface(`domain_kill_all_domains',` interface(`domain_search_all_domains_state',` gen_require(` attribute domain; - class dir search; ') kernel_search_proc($1) @@ -514,9 +499,6 @@ interface(`domain_dontaudit_search_all_domains_state',` interface(`domain_read_all_domains_state',` gen_require(` attribute domain; - class dir r_dir_perms; - class lnk_file r_file_perms; - class file r_file_perms; ') kernel_search_proc($1) @@ -536,7 +518,6 @@ interface(`domain_read_all_domains_state',` interface(`domain_getattr_all_domains',` gen_require(` attribute domain; - class process getattr; ') allow $1 domain:process getattr; @@ -591,7 +572,6 @@ interface(`domain_read_confined_domains_state',` interface(`domain_getattr_confined_domains',` gen_require(` attribute domain, unconfined_domain; - class process getattr; ') allow $1 { domain -unconfined_domain }:process getattr; @@ -661,7 +641,6 @@ interface(`domain_dontaudit_ptrace_all_domains',` interface(`domain_dontaudit_ptrace_confined_domains',` gen_require(` attribute domain, unconfined_domain; - class process ptrace; ') dontaudit $1 { domain -unconfined_domain }:process ptrace; @@ -702,7 +681,6 @@ interface(`domain_dontaudit_read_all_domains_state',` interface(`domain_dontaudit_list_all_domains_proc',` gen_require(` attribute domain; - class dir r_dir_perms; ') dontaudit $1 domain:dir r_dir_perms; @@ -719,7 +697,6 @@ interface(`domain_dontaudit_list_all_domains_proc',` interface(`domain_getsession_all_domains',` gen_require(` attribute domain; - class process getsession; ') allow $1 domain:process getsession; @@ -737,7 +714,6 @@ interface(`domain_getsession_all_domains',` interface(`domain_dontaudit_getsession_all_domains',` gen_require(` attribute domain; - class process getsession; ') dontaudit $1 domain:process getsession; @@ -809,7 +785,6 @@ interface(`domain_dontaudit_getattr_all_sockets',` interface(`domain_dontaudit_getattr_all_tcp_sockets',` gen_require(` attribute domain; - class tcp_socket getattr; ') dontaudit $1 domain:tcp_socket getattr; @@ -827,7 +802,6 @@ interface(`domain_dontaudit_getattr_all_tcp_sockets',` interface(`domain_dontaudit_getattr_all_udp_sockets',` gen_require(` attribute domain; - class udp_socket getattr; ') dontaudit $1 domain:udp_socket getattr; @@ -845,7 +819,6 @@ interface(`domain_dontaudit_getattr_all_udp_sockets',` interface(`domain_dontaudit_rw_all_udp_sockets',` gen_require(` attribute domain; - class udp_socket { read write }; ') dontaudit $1 domain:udp_socket { read write }; @@ -914,7 +887,6 @@ interface(`domain_dontaudit_getattr_all_raw_sockets',` interface(`domain_dontaudit_rw_all_key_sockets',` gen_require(` attribute domain; - class key_socket { read write }; ') dontaudit $1 domain:key_socket { read write }; @@ -966,7 +938,6 @@ interface(`domain_dontaudit_getattr_all_stream_sockets',` interface(`domain_dontaudit_getattr_all_pipes',` gen_require(` attribute domain; - class fifo_file getattr; ') dontaudit $1 domain:fifo_file getattr; @@ -984,8 +955,6 @@ interface(`domain_dontaudit_getattr_all_pipes',` interface(`domain_getattr_all_entry_files',` gen_require(` attribute entry_type; - class file getattr; - class lnk_file r_file_perms; ') allow $1 entry_type:lnk_file getattr; @@ -999,8 +968,6 @@ interface(`domain_getattr_all_entry_files',` interface(`domain_read_all_entry_files',` gen_require(` attribute entry_type; - class file r_file_perms; - class lnk_file r_file_perms; ') allow $1 entry_type:lnk_file r_file_perms; diff --git a/refpolicy/policy/modules/kernel/files.if b/refpolicy/policy/modules/kernel/files.if index 9d9a127..e3264e0 100644 --- a/refpolicy/policy/modules/kernel/files.if +++ b/refpolicy/policy/modules/kernel/files.if @@ -252,7 +252,6 @@ interface(`files_tmpfs_file',` interface(`files_getattr_all_dirs',` gen_require(` attribute file_type; - class dir { getattr search }; ') allow $1 file_type:dir { getattr search }; @@ -270,7 +269,6 @@ interface(`files_getattr_all_dirs',` interface(`files_dontaudit_getattr_all_dirs',` gen_require(` attribute file_type; - class dir getattr; ') dontaudit $1 file_type:dir getattr; @@ -423,8 +421,6 @@ interface(`files_dontaudit_getattr_non_security_files',` interface(`files_read_all_files',` gen_require(` attribute file_type; - class dir search; - class file r_file_perms; ') allow $1 file_type:dir search; @@ -531,8 +527,6 @@ interface(`files_read_all_symlinks_except',` interface(`files_getattr_all_symlinks',` gen_require(` attribute file_type; - class dir search; - class lnk_file getattr; ') allow $1 file_type:dir search; @@ -551,7 +545,6 @@ interface(`files_getattr_all_symlinks',` interface(`files_dontaudit_getattr_all_symlinks',` gen_require(` attribute file_type; - class lnk_file getattr; ') dontaudit $1 file_type:lnk_file getattr; @@ -619,8 +612,6 @@ interface(`files_dontaudit_getattr_non_security_chr_dev',` interface(`files_read_all_symlinks',` gen_require(` attribute file_type; - class dir search; - class lnk_file { getattr read }; ') allow $1 file_type:dir search; @@ -638,8 +629,6 @@ interface(`files_read_all_symlinks',` interface(`files_getattr_all_pipes',` gen_require(` attribute file_type; - class dir search; - class fifo_file getattr; ') allow $1 file_type:dir search; @@ -658,7 +647,6 @@ interface(`files_getattr_all_pipes',` interface(`files_dontaudit_getattr_all_pipes',` gen_require(` attribute file_type; - class fifo_file getattr; ') dontaudit $1 file_type:fifo_file getattr; @@ -692,8 +680,6 @@ interface(`files_dontaudit_getattr_non_security_pipes',` interface(`files_getattr_all_sockets',` gen_require(` attribute file_type; - class dir search; - class sock_file getattr; ') allow $1 file_type:dir search; @@ -712,7 +698,6 @@ interface(`files_getattr_all_sockets',` interface(`files_dontaudit_getattr_all_sockets',` gen_require(` attribute file_type; - class sock_file getattr; ') dontaudit $1 file_type:sock_file getattr; @@ -785,13 +770,6 @@ interface(`files_read_all_chr_nodes',` interface(`files_relabel_all_files',` gen_require(` attribute file_type; - class dir { r_dir_perms relabelfrom relabelto }; - class file { relabelfrom relabelto }; - class lnk_file { relabelfrom relabelto }; - class fifo_file { relabelfrom relabelto }; - class sock_file { relabelfrom relabelto }; - class blk_file relabelfrom; - class chr_file relabelfrom; ') allow $1 { file_type $2 }:dir { r_dir_perms relabelfrom relabelto }; @@ -822,11 +800,6 @@ interface(`files_relabel_all_files',` interface(`files_manage_all_files',` gen_require(` attribute file_type; - class dir create_dir_perms; - class file create_file_perms; - class lnk_file create_lnk_perms; - class fifo_file create_file_perms; - class sock_file create_file_perms; ') allow $1 { file_type $2 }:dir create_dir_perms; @@ -847,7 +820,6 @@ interface(`files_manage_all_files',` interface(`files_search_all_dirs',` gen_require(` attribute file_type; - class dir search; ') allow $1 file_type:dir search; @@ -860,7 +832,6 @@ interface(`files_search_all_dirs',` interface(`files_list_all_dirs',` gen_require(` attribute file_type; - class dir r_dir_perms; ') allow $1 file_type:dir r_dir_perms; @@ -873,7 +844,6 @@ interface(`files_list_all_dirs',` interface(`files_dontaudit_search_all_dirs',` gen_require(` attribute file_type; - class dir search; ') dontaudit $1 file_type:dir search; @@ -886,7 +856,6 @@ interface(`files_dontaudit_search_all_dirs',` interface(`files_relabelto_all_file_type_fs',` gen_require(` attribute file_type; - class filesystem relabelto; ') allow $1 file_type:filesystem relabelto; @@ -899,7 +868,6 @@ interface(`files_relabelto_all_file_type_fs',` interface(`files_mount_all_file_type_fs',` gen_require(` attribute file_type; - class filesystem mount; ') allow $1 file_type:filesystem mount; @@ -912,7 +880,6 @@ interface(`files_mount_all_file_type_fs',` interface(`files_unmount_all_file_type_fs',` gen_require(` attribute file_type; - class filesystem unmount; ') allow $1 file_type:filesystem unmount; @@ -925,8 +892,6 @@ interface(`files_unmount_all_file_type_fs',` interface(`files_mounton_all_mountpoints',` gen_require(` attribute mountpoint; - class dir { getattr search mounton }; - class file { getattr mounton }; ') allow $1 mountpoint:dir { getattr search mounton }; @@ -940,8 +905,6 @@ interface(`files_mounton_all_mountpoints',` interface(`files_list_root',` gen_require(` type root_t; - class dir r_dir_perms; - class lnk_file r_file_perms; ') allow $1 root_t:dir r_dir_perms; @@ -967,7 +930,6 @@ interface(`files_list_root',` interface(`files_filetrans_root',` gen_require(` type root_t; - class dir create_dir_perms; ') allow $1 root_t:dir rw_dir_perms; @@ -998,7 +960,6 @@ interface(`files_dontaudit_read_root_file',` interface(`files_dontaudit_rw_root_file',` gen_require(` type root_t; - class file { read write }; ') dontaudit $1 root_t:file { read write }; @@ -1011,7 +972,6 @@ interface(`files_dontaudit_rw_root_file',` interface(`files_dontaudit_rw_root_chr_dev',` gen_require(` type root_t; - class chr_file { read write }; ') dontaudit $1 root_t:chr_file { read write }; @@ -1024,7 +984,6 @@ interface(`files_dontaudit_rw_root_chr_dev',` interface(`files_delete_root_dir_entry',` gen_require(` type root_t; - class dir rw_dir_perms; ') allow $1 root_t:dir rw_dir_perms; @@ -1037,7 +996,6 @@ interface(`files_delete_root_dir_entry',` interface(`files_unmount_rootfs',` gen_require(` type root_t; - class filesystem unmount; ') allow $1 root_t:filesystem unmount; @@ -1202,7 +1160,6 @@ interface(`files_dontaudit_read_default_files',` interface(`files_read_default_symlinks',` gen_require(` type default_t; - class lnk_file r_file_perms; ') allow $1 default_t:lnk_file r_file_perms; @@ -1219,7 +1176,6 @@ interface(`files_read_default_symlinks',` interface(`files_read_default_sockets',` gen_require(` type default_t; - class sock_file r_file_perms; ') allow $1 default_t:sock_file r_file_perms; @@ -1236,7 +1192,6 @@ interface(`files_read_default_sockets',` interface(`files_read_default_pipes',` gen_require(` type default_t; - class fifo_file r_file_perms; ') allow $1 default_t:fifo_file r_file_perms; @@ -1249,7 +1204,6 @@ interface(`files_read_default_pipes',` interface(`files_search_etc',` gen_require(` type etc_t; - class dir search; ') allow $1 etc_t:dir search; @@ -1266,7 +1220,6 @@ interface(`files_search_etc',` interface(`files_setattr_etc_dir',` gen_require(` type etc_t; - class dir setattr; ') allow $1 etc_t:dir setattr; @@ -1279,7 +1232,6 @@ interface(`files_setattr_etc_dir',` interface(`files_list_etc',` gen_require(` type etc_t; - class dir r_dir_perms; ') allow $1 etc_t:dir r_dir_perms; @@ -1292,9 +1244,6 @@ interface(`files_list_etc',` interface(`files_read_etc_files',` gen_require(` type etc_t; - class dir r_dir_perms; - class file r_file_perms; - class lnk_file r_file_perms; ') allow $1 etc_t:dir r_dir_perms; @@ -1309,9 +1258,6 @@ interface(`files_read_etc_files',` interface(`files_rw_etc_files',` gen_require(` type etc_t; - class dir r_dir_perms; - class file rw_file_perms; - class lnk_file r_file_perms; ') allow $1 etc_t:dir r_dir_perms; @@ -1326,9 +1272,6 @@ interface(`files_rw_etc_files',` interface(`files_manage_etc_files',` gen_require(` type etc_t; - class dir rw_dir_perms; - class file create_file_perms; - class lnk_file r_file_perms; ') allow $1 etc_t:dir rw_dir_perms; @@ -1347,8 +1290,6 @@ interface(`files_manage_etc_files',` interface(`files_delete_etc_files',` gen_require(` type etc_t; - class dir rw_dir_perms; - class file unlink; ') allow $1 etc_t:dir rw_dir_perms; @@ -1362,8 +1303,6 @@ interface(`files_delete_etc_files',` interface(`files_exec_etc_files',` gen_require(` type etc_t; - class dir r_dir_perms; - class lnk_file r_file_perms; ') allow $1 etc_t:dir r_dir_perms; @@ -1398,8 +1337,6 @@ interface(`files_relabel_etc_files',` interface(`files_create_boot_flag',` gen_require(` type root_t, etc_runtime_t; - class dir rw_dir_perms; - class file { create read write setattr unlink}; ') allow $1 root_t:dir rw_dir_perms; @@ -1439,7 +1376,6 @@ interface(`files_read_etc_runtime_files',` interface(`files_dontaudit_read_etc_runtime_files',` gen_require(` type etc_runtime_t; - class file { getattr read }; ') dontaudit $1 etc_runtime_t:file { getattr read }; @@ -1457,8 +1393,6 @@ interface(`files_dontaudit_read_etc_runtime_files',` interface(`files_rw_etc_runtime_files',` gen_require(` type etc_t, etc_runtime_t; - class dir r_dir_perms; - class file rw_file_perms; ') allow $1 etc_t:dir r_dir_perms; @@ -1478,8 +1412,6 @@ interface(`files_rw_etc_runtime_files',` interface(`files_manage_etc_runtime_files',` gen_require(` type etc_t, etc_runtime_t; - class dir rw_dir_perms; - class file create_file_perms; ') allow $1 etc_t:dir rw_dir_perms; @@ -1494,7 +1426,6 @@ interface(`files_manage_etc_runtime_files',` interface(`files_filetrans_etc',` gen_require(` type etc_t; - class dir rw_dir_perms; ') allow $1 etc_t:dir rw_dir_perms; @@ -1551,7 +1482,6 @@ interface(`files_dontaudit_search_isid_type_dir',` interface(`files_list_isid_type_dir',` gen_require(` type file_t; - class dir r_dir_perms; ') allow $1 file_t:dir r_dir_perms; @@ -1569,7 +1499,6 @@ interface(`files_list_isid_type_dir',` interface(`files_rw_isid_type_dir',` gen_require(` type file_t; - class dir rw_dir_perms; ') allow $1 file_t:dir rw_dir_perms; @@ -1587,7 +1516,6 @@ interface(`files_rw_isid_type_dir',` interface(`files_manage_isid_type_dir',` gen_require(` type file_t; - class dir create_dir_perms; ') allow $1 file_t:dir create_dir_perms; @@ -1605,7 +1533,6 @@ interface(`files_manage_isid_type_dir',` interface(`files_mounton_isid_type_dir',` gen_require(` type file_t; - class dir { getattr search mounton }; ') allow $1 file_t:dir { getattr search mounton }; @@ -1623,8 +1550,6 @@ interface(`files_mounton_isid_type_dir',` interface(`files_read_isid_type_file',` gen_require(` type file_t; - class dir search; - class file r_file_perms; ') allow $1 file_t:dir search; @@ -1643,8 +1568,6 @@ interface(`files_read_isid_type_file',` interface(`files_manage_isid_type_file',` gen_require(` type file_t; - class dir rw_dir_perms; - class file create_file_perms; ') allow $1 file_t:dir rw_dir_perms; @@ -1663,8 +1586,6 @@ interface(`files_manage_isid_type_file',` interface(`files_manage_isid_type_symlink',` gen_require(` type file_t; - class dir rw_dir_perms; - class lnk_file create_lnk_perms; ') allow $1 file_t:dir rw_dir_perms; @@ -1683,8 +1604,6 @@ interface(`files_manage_isid_type_symlink',` interface(`files_rw_isid_type_blk_node',` gen_require(` type file_t; - class dir search; - class blk_file rw_file_perms; ') allow $1 file_t:dir search; @@ -1703,8 +1622,6 @@ interface(`files_rw_isid_type_blk_node',` interface(`files_manage_isid_type_blk_node',` gen_require(` type file_t; - class dir rw_dir_perms; - class blk_file create_file_perms; ') allow $1 file_t:dir rw_dir_perms; @@ -1723,8 +1640,6 @@ interface(`files_manage_isid_type_blk_node',` interface(`files_manage_isid_type_chr_node',` gen_require(` type file_t; - class dir rw_dir_perms; - class chr_file create_file_perms; ') allow $1 file_t:dir rw_dir_perms; @@ -1827,7 +1742,6 @@ interface(`files_dontaudit_list_home',` interface(`files_list_home',` gen_require(` type home_root_t; - class dir r_dir_perms; ') allow $1 home_root_t:dir r_dir_perms; @@ -1875,11 +1789,6 @@ interface(`files_filetrans_home',` interface(`files_manage_lost_found',` gen_require(` type lost_found_t; - class dir create_dir_perms; - class file create_file_perms; - class sock_file create_file_perms; - class fifo_file create_file_perms; - class lnk_file create_lnk_perms; ') allow $1 lost_found_t:dir create_dir_perms; @@ -1908,7 +1817,6 @@ interface(`files_search_mnt',` interface(`files_list_mnt',` gen_require(` type mnt_t; - class dir r_dir_perms; ') allow $1 mnt_t:dir r_dir_perms; @@ -1925,7 +1833,6 @@ interface(`files_list_mnt',` interface(`files_mounton_mnt',` gen_require(` type mnt_t; - class dir { search mounton }; ') allow $1 mnt_t:dir { search mounton }; @@ -1942,7 +1849,6 @@ interface(`files_mounton_mnt',` interface(`files_manage_mnt_dirs',` gen_require(` type mnt_t; - class dir create_dir_perms; ') allow $1 mnt_t:dir create_dir_perms; @@ -1959,8 +1865,6 @@ interface(`files_manage_mnt_dirs',` interface(`files_manage_mnt_files',` gen_require(` type mnt_t; - class dir rw_dir_perms; - class file create_file_perms; ') allow $1 mnt_t:dir rw_dir_perms; @@ -1978,8 +1882,6 @@ interface(`files_manage_mnt_files',` interface(`files_manage_mnt_symlinks',` gen_require(` type mnt_t; - class dir rw_dir_perms; - class lnk_file create_lnk_perms; ') allow $1 mnt_t:dir rw_dir_perms; @@ -1997,7 +1899,6 @@ interface(`files_manage_mnt_symlinks',` interface(`files_list_world_readable',` gen_require(` type readable_t; - class dir r_dir_perms; ') allow $1 readable_t:dir r_dir_perms; @@ -2014,7 +1915,6 @@ interface(`files_list_world_readable',` interface(`files_read_world_readable_files',` gen_require(` type readable_t; - class file r_file_perms; ') allow $1 readable_t:file r_file_perms; @@ -2031,7 +1931,6 @@ interface(`files_read_world_readable_files',` interface(`files_read_world_readable_symlinks',` gen_require(` type readable_t; - class lnk_file r_file_perms; ') allow $1 readable_t:lnk_file r_file_perms; @@ -2048,7 +1947,6 @@ interface(`files_read_world_readable_symlinks',` interface(`files_read_world_readable_pipes',` gen_require(` type readable_t; - class fifo_file r_file_perms; ') allow $1 readable_t:fifo_file r_file_perms; @@ -2065,7 +1963,6 @@ interface(`files_read_world_readable_pipes',` interface(`files_read_world_readable_sockets',` gen_require(` type readable_t; - class sock_file r_file_perms; ') allow $1 readable_t:sock_file r_file_perms; @@ -2117,7 +2014,6 @@ interface(`files_getattr_tmp_dir',` interface(`files_dontaudit_getattr_tmp_dir',` gen_require(` type tmp_t; - class dir getattr; ') dontaudit $1 tmp_t:dir getattr; @@ -2233,7 +2129,6 @@ interface(`files_rw_generic_tmp_sockets',` interface(`files_setattr_all_tmp_dirs',` gen_require(` attribute tmpfile; - class dir { search setattr }; ') allow $1 tmpfile:dir { search getattr }; @@ -2246,7 +2141,6 @@ interface(`files_setattr_all_tmp_dirs',` interface(`files_filetrans_tmp',` gen_require(` type tmp_t; - class dir rw_dir_perms; ') allow $1 tmp_t:dir rw_dir_perms; @@ -2265,7 +2159,6 @@ interface(`files_filetrans_tmp',` interface(`files_purge_tmp',` gen_require(` attribute tmpfile; - class dir { rw_dir_perms rmdir }; gen_require_set({ getattr unlink },notdevfile_class_set) ') @@ -2280,7 +2173,6 @@ interface(`files_purge_tmp',` interface(`files_search_usr',` gen_require(` type usr_t; - class dir search; ') allow $1 usr_t:dir search; @@ -2298,7 +2190,6 @@ interface(`files_search_usr',` interface(`files_list_usr',` gen_require(` type usr_t; - class dir r_dir_perms; ') allow $1 usr_t:dir r_dir_perms; @@ -2315,8 +2206,6 @@ interface(`files_list_usr',` interface(`files_getattr_usr_files',` gen_require(` type usr_t; - class dir search; - class file getattr; ') allow $1 usr_t:dir search; @@ -2330,9 +2219,6 @@ interface(`files_getattr_usr_files',` interface(`files_read_usr_files',` gen_require(` type usr_t; - class dir r_dir_perms; - class file r_file_perms; - class lnk_file r_file_perms; ') allow $1 usr_t:dir r_dir_perms; @@ -2369,7 +2255,6 @@ interface(`files_exec_usr_files',` interface(`files_relabelto_usr_files',` gen_require(` type usr_t; - class file relabelto; ') allow $1 usr_t:file relabelto; @@ -2386,8 +2271,6 @@ interface(`files_relabelto_usr_files',` interface(`files_read_usr_symlinks',` gen_require(` type usr_t; - class dir search; - class file r_file_perms; ') allow $1 usr_t:dir search; @@ -2411,7 +2294,6 @@ interface(`files_read_usr_symlinks',` interface(`files_filetrans_usr',` gen_require(` type usr_t; - class dir rw_dir_perms; ') allow $1 usr_t:dir rw_dir_perms; @@ -2545,7 +2427,6 @@ interface(`files_list_var',` interface(`files_manage_var_dirs',` gen_require(` type var_t; - class dir create_dir_perms; ') allow $1 var_t:dir create_dir_perms; @@ -2579,8 +2460,6 @@ interface(`files_read_var_files',` interface(`files_manage_var_files',` gen_require(` type var_t; - class dir rw_dir_perms; - class file create_file_perms; ') allow $1 var_t:dir rw_dir_perms; @@ -2639,7 +2518,6 @@ interface(`files_manage_var_symlinks',` interface(`files_filetrans_var',` gen_require(` type var_t; - class dir rw_dir_perms; ') allow $1 var_t:dir rw_dir_perms; @@ -2662,7 +2540,6 @@ interface(`files_filetrans_var',` interface(`files_search_var_lib_dir',` gen_require(` type var_t, var_lib_t; - class dir search; ') allow $1 var_t:dir search; @@ -2736,7 +2613,6 @@ interface(`files_list_var_lib',` interface(`files_filetrans_var_lib',` gen_require(` type var_t, var_lib_t; - class dir rw_dir_perms; ') allow $1 var_t:dir search_dir_perms; @@ -2900,8 +2776,6 @@ interface(`files_manage_generic_locks',` interface(`files_delete_all_locks',` gen_require(` attribute lockfile; - class dir rw_dir_perms; - class file { getattr unlink }; ') allow $1 lockfile:dir rw_dir_perms; @@ -2935,7 +2809,6 @@ interface(`files_read_all_locks',` interface(`files_filetrans_lock',` gen_require(` type var_t, var_lock_t; - class dir rw_dir_perms; ') allow $1 var_t:dir search; @@ -2960,7 +2833,6 @@ interface(`files_filetrans_lock',` interface(`files_dontaudit_getattr_pid_dir',` gen_require(` type var_run_t; - class dir getattr; ') dontaudit $1 var_run_t:dir getattr; @@ -3003,7 +2875,6 @@ interface(`files_dontaudit_search_pids',` interface(`files_list_pids',` gen_require(` type var_t, var_run_t; - class dir r_dir_perms; ') allow $1 var_t:dir search_dir_perms; @@ -3017,7 +2888,6 @@ interface(`files_list_pids',` interface(`files_filetrans_pid',` gen_require(` type var_t, var_run_t; - class dir rw_dir_perms; ') allow $1 var_t:dir search_dir_perms; @@ -3037,8 +2907,6 @@ interface(`files_filetrans_pid',` interface(`files_rw_generic_pids',` gen_require(` type var_t, var_run_t; - class dir r_dir_perms; - class file rw_file_perms; ') allow $1 var_t:dir search; @@ -3118,10 +2986,6 @@ interface(`files_delete_all_pids',` gen_require(` attribute pidfile; type var_t, var_run_t; - class dir rw_dir_perms; - class file { getattr unlink }; - class lnk_file { getattr unlink }; - class sock_file { getattr unlink }; ') allow $1 var_t:dir search; @@ -3166,7 +3030,6 @@ interface(`files_search_spool',` interface(`files_list_spool',` gen_require(` type var_t, var_spool_t; - class dir r_dir_perms; ') allow $1 var_t:dir search; @@ -3180,7 +3043,6 @@ interface(`files_list_spool',` interface(`files_manage_generic_spool_dirs',` gen_require(` type var_t, var_spool_t; - class dir create_dir_perms; ') allow $1 var_t:dir search; @@ -3194,8 +3056,6 @@ interface(`files_manage_generic_spool_dirs',` interface(`files_read_generic_spools',` gen_require(` type var_t, var_spool_t; - class dir r_dir_perms; - class file r_file_perms; ') allow $1 var_t:dir search; @@ -3210,8 +3070,6 @@ interface(`files_read_generic_spools',` interface(`files_manage_generic_spools',` gen_require(` type var_t, var_spool_t; - class dir rw_dir_perms; - class file create_file_perms; ') allow $1 var_t:dir search; diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if index 38358ae..756b542 100644 --- a/refpolicy/policy/modules/kernel/filesystem.if +++ b/refpolicy/policy/modules/kernel/filesystem.if @@ -55,7 +55,6 @@ interface(`fs_make_noxattr_fs',` interface(`fs_associate',` gen_require(` type fs_t; - class filesystem associate; ') allow $1 fs_t:filesystem associate; @@ -76,7 +75,6 @@ interface(`fs_associate',` interface(`fs_associate_noxattr',` gen_require(` attribute noxattrfs; - class filesystem associate; ') allow $1 noxattrfs:filesystem associate; @@ -112,7 +110,6 @@ interface(`fs_exec_noxattr',` interface(`fs_mount_xattr_fs',` gen_require(` type fs_t; - class filesystem mount; ') allow $1 fs_t:filesystem mount; @@ -132,7 +129,6 @@ interface(`fs_mount_xattr_fs',` interface(`fs_remount_xattr_fs',` gen_require(` type fs_t; - class filesystem remount; ') allow $1 fs_t:filesystem remount; @@ -151,7 +147,6 @@ interface(`fs_remount_xattr_fs',` interface(`fs_unmount_xattr_fs',` gen_require(` type fs_t; - class filesystem unmount; ') allow $1 fs_t:filesystem mount; @@ -171,7 +166,6 @@ interface(`fs_unmount_xattr_fs',` interface(`fs_getattr_xattr_fs',` gen_require(` type fs_t; - class filesystem getattr; ') allow $1 fs_t:filesystem getattr; @@ -209,7 +203,6 @@ interface(`fs_get_xattr_fs_quotas',` interface(`fs_dontaudit_getattr_xattr_fs',` gen_require(` type fs_t; - class filesystem getattr; ') dontaudit $1 fs_t:filesystem getattr; @@ -228,7 +221,6 @@ interface(`fs_dontaudit_getattr_xattr_fs',` interface(`fs_relabelfrom_xattr_fs',` gen_require(` type fs_t; - class filesystem relabelfrom; ') allow $1 fs_t:filesystem relabelfrom; @@ -246,7 +238,6 @@ interface(`fs_relabelfrom_xattr_fs',` interface(`fs_get_xattr_fs_quota',` gen_require(` type fs_t; - class filesystem quotaget; ') allow $1 fs_t:filesystem quotaget; @@ -264,7 +255,6 @@ interface(`fs_get_xattr_fs_quota',` interface(`fs_set_xattr_fs_quota',` gen_require(` type fs_t; - class filesystem quotamod; ') allow $1 fs_t:filesystem quotamod; @@ -281,7 +271,6 @@ interface(`fs_set_xattr_fs_quota',` interface(`fs_mount_autofs',` gen_require(` type autofs_t; - class filesystem mount; ') allow $1 autofs_t:filesystem mount; @@ -300,7 +289,6 @@ interface(`fs_mount_autofs',` interface(`fs_remount_autofs',` gen_require(` type autofs_t; - class filesystem remount; ') allow $1 autofs_t:filesystem remount; @@ -317,7 +305,6 @@ interface(`fs_remount_autofs',` interface(`fs_unmount_autofs',` gen_require(` type autofs_t; - class filesystem unmount; ') allow $1 autofs_t:filesystem mount; @@ -336,7 +323,6 @@ interface(`fs_unmount_autofs',` interface(`fs_getattr_autofs',` gen_require(` type autofs_t; - class filesystem getattr; ') allow $1 autofs_t:filesystem getattr; @@ -354,7 +340,6 @@ interface(`fs_getattr_autofs',` interface(`fs_search_auto_mountpoints',` gen_require(` type autofs_t; - class dir { getattr search }; ') allow $1 autofs_t:dir { getattr search }; @@ -412,8 +397,6 @@ interface(`fs_dontaudit_list_auto_mountpoints',` interface(`fs_register_binary_executable_type',` gen_require(` type binfmt_misc_fs_t; - class dir { getattr search }; - class file { getattr ioctl write }; ') allow $1 binfmt_misc_fs_t:dir { getattr search }; @@ -431,7 +414,6 @@ interface(`fs_register_binary_executable_type',` interface(`fs_mount_cifs',` gen_require(` type cifs_t; - class filesystem mount; ') allow $1 cifs_t:filesystem mount; @@ -449,7 +431,6 @@ interface(`fs_mount_cifs',` interface(`fs_remount_cifs',` gen_require(` type cifs_t; - class filesystem remount; ') allow $1 cifs_t:filesystem remount; @@ -466,7 +447,6 @@ interface(`fs_remount_cifs',` interface(`fs_unmount_cifs',` gen_require(` type cifs_t; - class filesystem unmount; ') allow $1 cifs_t:filesystem unmount; @@ -485,7 +465,6 @@ interface(`fs_unmount_cifs',` interface(`fs_getattr_cifs',` gen_require(` type cifs_t; - class filesystem getattr; ') allow $1 cifs_t:filesystem getattr; @@ -502,7 +481,6 @@ interface(`fs_getattr_cifs',` interface(`fs_search_cifs',` gen_require(` type cifs_t; - class dir search; ') allow $1 cifs_t:dir search; @@ -520,7 +498,6 @@ interface(`fs_search_cifs',` interface(`fs_list_cifs',` gen_require(` type cifs_t; - class dir r_dir_perms; ') allow $1 cifs_t:dir r_dir_perms; @@ -657,8 +634,6 @@ interface(`fs_dontaudit_rw_cifs_files',` interface(`fs_read_cifs_symlinks',` gen_require(` type cifs_t; - class dir r_dir_perms; - class lnk_file r_file_perms; ') allow $1 cifs_t:dir r_dir_perms; @@ -678,7 +653,6 @@ interface(`fs_read_cifs_symlinks',` interface(`fs_execute_cifs_files',` gen_require(` type cifs_t; - class dir r_dir_perms; ') allow $1 cifs_t:dir r_dir_perms; @@ -732,8 +706,6 @@ interface(`fs_dontaudit_manage_cifs_dirs',` interface(`fs_manage_cifs_files',` gen_require(` type cifs_t; - class dir rw_dir_perms; - class file create_file_perms; ') allow $1 cifs_t:dir rw_dir_perms; @@ -770,8 +742,6 @@ interface(`fs_dontaudit_manage_cifs_files',` interface(`fs_manage_cifs_symlinks',` gen_require(` type cifs_t; - class dir rw_dir_perms; - class lnk_file create_lnk_perms; ') allow $1 cifs_t:dir rw_dir_perms; @@ -790,8 +760,6 @@ interface(`fs_manage_cifs_symlinks',` interface(`fs_manage_cifs_named_pipes',` gen_require(` type cifs_t; - class dir rw_dir_perms; - class fifo_file create_file_perms; ') allow $1 cifs_t:dir rw_dir_perms; @@ -810,8 +778,6 @@ interface(`fs_manage_cifs_named_pipes',` interface(`fs_manage_cifs_named_sockets',` gen_require(` type cifs_t; - class dir rw_dir_perms; - class sock_file create_file_perms; ') allow $1 cifs_t:dir rw_file_perms; @@ -852,7 +818,6 @@ interface(`fs_manage_cifs_named_sockets',` interface(`fs_cifs_domtrans',` gen_require(` type cifs_t; - class dir search; ') allow $1 cifs_t:dir search; @@ -872,7 +837,6 @@ interface(`fs_cifs_domtrans',` interface(`fs_mount_dos_fs',` gen_require(` type dosfs_t; - class filesystem mount; ') allow $1 dosfs_t:filesystem mount; @@ -891,7 +855,6 @@ interface(`fs_mount_dos_fs',` interface(`fs_remount_dos_fs',` gen_require(` type dosfs_t; - class filesystem remount; ') allow $1 dosfs_t:filesystem remount; @@ -909,7 +872,6 @@ interface(`fs_remount_dos_fs',` interface(`fs_unmount_dos_fs',` gen_require(` type dosfs_t; - class filesystem unmount; ') allow $1 dosfs_t:filesystem mount; @@ -928,7 +890,6 @@ interface(`fs_unmount_dos_fs',` interface(`fs_getattr_dos_fs',` gen_require(` type dosfs_t; - class filesystem getattr; ') allow $1 dosfs_t:filesystem getattr; @@ -946,7 +907,6 @@ interface(`fs_getattr_dos_fs',` interface(`fs_relabelfrom_dos_fs',` gen_require(` type dosfs_t; - class filesystem relabelfrom; ') allow $1 dosfs_t:filesystem relabelfrom; @@ -997,7 +957,6 @@ interface(`fs_search_inotifyfs',` interface(`fs_mount_iso9660_fs',` gen_require(` type iso9660_t; - class filesystem mount; ') allow $1 iso9660_t:filesystem mount; @@ -1016,7 +975,6 @@ interface(`fs_mount_iso9660_fs',` interface(`fs_remount_iso9660_fs',` gen_require(` type iso9660_t; - class filesystem remount; ') allow $1 iso9660_t:filesystem remount; @@ -1034,7 +992,6 @@ interface(`fs_remount_iso9660_fs',` interface(`fs_unmount_iso9660_fs',` gen_require(` type iso9660_t; - class filesystem unmount; ') allow $1 iso9660_t:filesystem mount; @@ -1053,7 +1010,6 @@ interface(`fs_unmount_iso9660_fs',` interface(`fs_getattr_iso9660_fs',` gen_require(` type iso9660_t; - class filesystem getattr; ') allow $1 iso9660_t:filesystem getattr; @@ -1070,7 +1026,6 @@ interface(`fs_getattr_iso9660_fs',` interface(`fs_mount_nfs',` gen_require(` type nfs_t; - class filesystem mount; ') allow $1 nfs_t:filesystem mount; @@ -1088,7 +1043,6 @@ interface(`fs_mount_nfs',` interface(`fs_remount_nfs',` gen_require(` type nfs_t; - class filesystem remount; ') allow $1 nfs_t:filesystem remount; @@ -1105,7 +1059,6 @@ interface(`fs_remount_nfs',` interface(`fs_unmount_nfs',` gen_require(` type nfs_t; - class filesystem unmount; ') allow $1 nfs_t:filesystem mount; @@ -1123,7 +1076,6 @@ interface(`fs_unmount_nfs',` interface(`fs_getattr_nfs',` gen_require(` type nfs_t; - class filesystem getattr; ') allow $1 nfs_t:filesystem getattr; @@ -1140,7 +1092,6 @@ interface(`fs_getattr_nfs',` interface(`fs_search_nfs',` gen_require(` type nfs_t; - class dir search; ') allow $1 nfs_t:dir search; @@ -1190,8 +1141,6 @@ interface(`fs_dontaudit_list_nfs',` interface(`fs_read_nfs_files',` gen_require(` type nfs_t; - class dir r_dir_perms; - class file r_file_perms; ') allow $1 nfs_t:dir r_dir_perms; @@ -1243,7 +1192,6 @@ interface(`fs_write_nfs_files',` interface(`fs_execute_nfs_files',` gen_require(` type nfs_t; - class dir r_dir_perms; ') allow $1 nfs_t:dir r_dir_perms; @@ -1278,8 +1226,6 @@ interface(`fs_dontaudit_rw_nfs_files',` interface(`fs_read_nfs_symlinks',` gen_require(` type nfs_t; - class dir r_dir_perms; - class lnk_file r_file_perms; ') allow $1 nfs_t:dir r_dir_perms; @@ -1428,7 +1374,6 @@ interface(`fs_read_rpc_dirs',` interface(`fs_read_rpc_files',` gen_require(` type rpc_pipefs_t; - class file { read getattr }; ') allow $1 rpc_pipefs_t:file { read getattr }; @@ -1446,7 +1391,6 @@ interface(`fs_read_rpc_files',` interface(`fs_read_rpc_symlinks',` gen_require(` type rpc_pipefs_t; - class lnk_file { getattr read }; ') allow $1 rpc_pipefs_t:lnk_file { getattr read }; @@ -1464,7 +1408,6 @@ interface(`fs_read_rpc_symlinks',` interface(`fs_read_rpc_sockets',` gen_require(` type rpc_pipefs_t; - class sock_file { read write }; ') allow $1 rpc_pipefs_t:sock_file { read write }; @@ -1483,7 +1426,6 @@ interface(`fs_read_rpc_sockets',` interface(`fs_manage_nfs_dirs',` gen_require(` type nfs_t; - class dir create_dir_perms; ') allow $1 nfs_t:dir create_dir_perms; @@ -1519,8 +1461,6 @@ interface(`fs_dontaudit_manage_nfs_dirs',` interface(`fs_manage_nfs_files',` gen_require(` type nfs_t; - class dir rw_dir_perms; - class file create_file_perms; ') allow $1 nfs_t:dir rw_dir_perms; @@ -1557,8 +1497,6 @@ interface(`fs_dontaudit_manage_nfs_files',` interface(`fs_manage_nfs_symlinks',` gen_require(` type nfs_t; - class dir r_dir_perms; - class lnk_file create_lnk_perms; ') allow $1 nfs_t:dir rw_dir_perms; @@ -1577,8 +1515,6 @@ interface(`fs_manage_nfs_symlinks',` interface(`fs_manage_nfs_named_pipes',` gen_require(` type nfs_t; - class dir rw_dir_perms; - class fifo_file create_file_perms; ') allow $1 nfs_t:dir rw_dir_perms; @@ -1597,8 +1533,6 @@ interface(`fs_manage_nfs_named_pipes',` interface(`fs_manage_nfs_named_sockets',` gen_require(` type nfs_t; - class dir rw_dir_perms; - class sock_file create_file_perms; ') allow $1 nfs_t:dir rw_dir_perms; @@ -1639,7 +1573,6 @@ interface(`fs_manage_nfs_named_sockets',` interface(`fs_nfs_domtrans',` gen_require(` type nfs_t; - class dir search; ') allow $1 nfs_t:dir search; @@ -1658,7 +1591,6 @@ interface(`fs_nfs_domtrans',` interface(`fs_mount_nfsd_fs',` gen_require(` type nfsd_fs_t; - class filesystem mount; ') allow $1 nfsd_fs_t:filesystem mount; @@ -1676,7 +1608,6 @@ interface(`fs_mount_nfsd_fs',` interface(`fs_remount_nfsd_fs',` gen_require(` type nfsd_fs_t; - class filesystem remount; ') allow $1 nfsd_fs_t:filesystem remount; @@ -1693,7 +1624,6 @@ interface(`fs_remount_nfsd_fs',` interface(`fs_unmount_nfsd_fs',` gen_require(` type nfsd_fs_t; - class filesystem unmount; ') allow $1 nfsd_fs_t:filesystem mount; @@ -1712,7 +1642,6 @@ interface(`fs_unmount_nfsd_fs',` interface(`fs_getattr_nfsd_fs',` gen_require(` type nfsd_fs_t; - class filesystem getattr; ') allow $1 nfsd_fs_t:filesystem getattr; @@ -1730,7 +1659,6 @@ interface(`fs_getattr_nfsd_fs',` interface(`fs_search_nfsd_fs',` gen_require(` type nfsd_fs_t; - class dir search; ') allow $1 nfsd_fs_t:dir search; @@ -1748,7 +1676,6 @@ interface(`fs_search_nfsd_fs',` interface(`fs_rw_nfsd_fs',` gen_require(` type nfsd_fs_t; - class file rw_file_perms; ') allow $1 nfsd_fs_t:file rw_file_perms; @@ -1765,7 +1692,6 @@ interface(`fs_rw_nfsd_fs',` interface(`fs_mount_ramfs',` gen_require(` type ramfs_t; - class filesystem mount; ') allow $1 ramfs_t:filesystem mount; @@ -1783,7 +1709,6 @@ interface(`fs_mount_ramfs',` interface(`fs_remount_ramfs',` gen_require(` type ramfs_t; - class filesystem remount; ') allow $1 ramfs_t:filesystem remount; @@ -1800,7 +1725,6 @@ interface(`fs_remount_ramfs',` interface(`fs_unmount_ramfs',` gen_require(` type ramfs_t; - class filesystem unmount; ') allow $1 ramfs_t:filesystem mount; @@ -1818,7 +1742,6 @@ interface(`fs_unmount_ramfs',` interface(`fs_getattr_ramfs',` gen_require(` type ramfs_t; - class filesystem getattr; ') allow $1 ramfs_t:filesystem getattr; @@ -1915,7 +1838,6 @@ interface(`fs_write_ramfs_socket',` interface(`fs_mount_romfs',` gen_require(` type romfs_t; - class filesystem mount; ') allow $1 romfs_t:filesystem mount; @@ -1933,7 +1855,6 @@ interface(`fs_mount_romfs',` interface(`fs_remount_romfs',` gen_require(` type romfs_t; - class filesystem remount; ') allow $1 romfs_t:filesystem remount; @@ -1950,7 +1871,6 @@ interface(`fs_remount_romfs',` interface(`fs_unmount_romfs',` gen_require(` type romfs_t; - class filesystem unmount; ') allow $1 romfs_t:filesystem mount; @@ -1969,7 +1889,6 @@ interface(`fs_unmount_romfs',` interface(`fs_getattr_romfs',` gen_require(` type romfs_t; - class filesystem getattr; ') allow $1 romfs_t:filesystem getattr; @@ -1986,7 +1905,6 @@ interface(`fs_getattr_romfs',` interface(`fs_mount_rpc_pipefs',` gen_require(` type rpc_pipefs_t; - class filesystem mount; ') allow $1 rpc_pipefs_t:filesystem mount; @@ -2004,7 +1922,6 @@ interface(`fs_mount_rpc_pipefs',` interface(`fs_remount_rpc_pipefs',` gen_require(` type rpc_pipefs_t; - class filesystem remount; ') allow $1 rpc_pipefs_t:filesystem remount; @@ -2021,7 +1938,6 @@ interface(`fs_remount_rpc_pipefs',` interface(`fs_unmount_rpc_pipefs',` gen_require(` type rpc_pipefs_t; - class filesystem unmount; ') allow $1 rpc_pipefs_t:filesystem mount; @@ -2040,7 +1956,6 @@ interface(`fs_unmount_rpc_pipefs',` interface(`fs_getattr_rpc_pipefs',` gen_require(` type rpc_pipefs_t; - class filesystem getattr; ') allow $1 rpc_pipefs_t:filesystem getattr; @@ -2057,7 +1972,6 @@ interface(`fs_getattr_rpc_pipefs',` interface(`fs_mount_tmpfs',` gen_require(` type tmpfs_t; - class filesystem mount; ') allow $1 tmpfs_t:filesystem mount; @@ -2074,7 +1988,6 @@ interface(`fs_mount_tmpfs',` interface(`fs_remount_tmpfs',` gen_require(` type tmpfs_t; - class filesystem remount; ') allow $1 tmpfs_t:filesystem remount; @@ -2091,7 +2004,6 @@ interface(`fs_remount_tmpfs',` interface(`fs_unmount_tmpfs',` gen_require(` type tmpfs_t; - class filesystem unmount; ') allow $1 tmpfs_t:filesystem mount; @@ -2110,7 +2022,6 @@ interface(`fs_unmount_tmpfs',` interface(`fs_getattr_tmpfs',` gen_require(` type tmpfs_t; - class filesystem getattr; ') allow $1 tmpfs_t:filesystem getattr; @@ -2127,7 +2038,6 @@ interface(`fs_getattr_tmpfs',` interface(`fs_associate_tmpfs',` gen_require(` type tmpfs_t; - class filesystem associate; ') allow $1 tmpfs_t:filesystem associate; @@ -2144,7 +2054,6 @@ interface(`fs_associate_tmpfs',` interface(`fs_getattr_tmpfs_dir',` gen_require(` type tmpfs_t; - class dir getattr; ') allow $1 tmpfs_t:dir getattr; @@ -2161,7 +2070,6 @@ interface(`fs_getattr_tmpfs_dir',` interface(`fs_setattr_tmpfs_dir',` gen_require(` type tmpfs_t; - class dir setattr; ') allow $1 tmpfs_t:dir setattr; @@ -2178,7 +2086,6 @@ interface(`fs_setattr_tmpfs_dir',` interface(`fs_search_tmpfs',` gen_require(` type tmpfs_t; - class dir search; ') allow $1 tmpfs_t:dir search; @@ -2195,7 +2102,6 @@ interface(`fs_search_tmpfs',` interface(`fs_list_tmpfs',` gen_require(` type tmpfs_t; - class dir r_dir_perms; ') allow $1 tmpfs_t:dir r_dir_perms; @@ -2213,7 +2119,6 @@ interface(`fs_list_tmpfs',` interface(`fs_dontaudit_list_tmpfs',` gen_require(` type tmpfs_t; - class dir r_dir_perms; ') dontaudit $1 tmpfs_t:dir r_dir_perms; @@ -2231,7 +2136,6 @@ interface(`fs_dontaudit_list_tmpfs',` interface(`fs_manage_tmpfs_dirs',` gen_require(` type tmpfs_t; - class dir create_dir_perms; ') allow $1 tmpfs_t:dir create_dir_perms; @@ -2244,8 +2148,6 @@ interface(`fs_manage_tmpfs_dirs',` interface(`fs_filetrans_tmpfs',` gen_require(` type tmpfs_t; - class filesystem associate; - class dir rw_dir_perms; ') allow $2 tmpfs_t:filesystem associate; @@ -2337,8 +2239,6 @@ interface(`fs_read_tmpfs_symlinks',` interface(`fs_use_tmpfs_chr_dev',` gen_require(` type tmpfs_t; - class dir r_dir_perms; - class chr_file rw_file_perms; ') allow $1 tmpfs_t:dir r_dir_perms; @@ -2356,8 +2256,6 @@ interface(`fs_use_tmpfs_chr_dev',` interface(`fs_dontaudit_use_tmpfs_chr_dev',` gen_require(` type tmpfs_t; - class dir r_dir_perms; - class chr_file rw_file_perms; ') dontaudit $1 tmpfs_t:dir r_dir_perms; @@ -2375,8 +2273,6 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` interface(`fs_relabel_tmpfs_chr_dev',` gen_require(` type tmpfs_t; - class dir r_dir_perms; - class chr_file { getattr relabelfrom relabelto }; ') allow $1 tmpfs_t:dir r_dir_perms; @@ -2394,8 +2290,6 @@ interface(`fs_relabel_tmpfs_chr_dev',` interface(`fs_use_tmpfs_blk_dev',` gen_require(` type tmpfs_t; - class dir r_dir_perms; - class blk_file rw_file_perms; ') allow $1 tmpfs_t:dir r_dir_perms; @@ -2413,8 +2307,6 @@ interface(`fs_use_tmpfs_blk_dev',` interface(`fs_relabel_tmpfs_blk_dev',` gen_require(` type tmpfs_t; - class dir r_dir_perms; - class blk_file { getattr relabelfrom relabelto }; ') allow $1 tmpfs_t:dir r_dir_perms; @@ -2433,8 +2325,6 @@ interface(`fs_relabel_tmpfs_blk_dev',` interface(`fs_manage_tmpfs_files',` gen_require(` type tmpfs_t; - class dir rw_dir_perms; - class file create_file_perms; ') allow $1 tmpfs_t:dir rw_dir_perms; @@ -2453,8 +2343,6 @@ interface(`fs_manage_tmpfs_files',` interface(`fs_manage_tmpfs_symlinks',` gen_require(` type tmpfs_t; - class dir rw_dir_perms; - class chr_file create_lnk_perms; ') allow $1 tmpfs_t:dir rw_dir_perms; @@ -2473,8 +2361,6 @@ interface(`fs_manage_tmpfs_symlinks',` interface(`fs_manage_tmpfs_sockets',` gen_require(` type tmpfs_t; - class dir rw_dir_perms; - class sock_file create_file_perms; ') allow $1 tmpfs_t:dir rw_dir_perms; @@ -2493,8 +2379,6 @@ interface(`fs_manage_tmpfs_sockets',` interface(`fs_manage_tmpfs_chr_dev',` gen_require(` type tmpfs_t; - class dir rw_dir_perms; - class chr_file create_file_perms; ') allow $1 tmpfs_t:dir rw_dir_perms; @@ -2513,8 +2397,6 @@ interface(`fs_manage_tmpfs_chr_dev',` interface(`fs_manage_tmpfs_blk_dev',` gen_require(` type tmpfs_t; - class dir rw_dir_perms; - class blk_file create_file_perms; ') allow $1 tmpfs_t:dir rw_dir_perms; @@ -2532,7 +2414,6 @@ interface(`fs_manage_tmpfs_blk_dev',` interface(`fs_mount_all_fs',` gen_require(` attribute filesystem_type; - class filesystem mount; ') allow $1 filesystem_type:filesystem mount; @@ -2550,7 +2431,6 @@ interface(`fs_mount_all_fs',` interface(`fs_remount_all_fs',` gen_require(` attribute filesystem_type; - class filesystem remount; ') allow $1 filesystem_type:filesystem remount; @@ -2567,7 +2447,6 @@ interface(`fs_remount_all_fs',` interface(`fs_unmount_all_fs',` gen_require(` attribute filesystem_type; - class filesystem unmount; ') allow $1 filesystem_type:filesystem unmount; @@ -2586,7 +2465,6 @@ interface(`fs_unmount_all_fs',` interface(`fs_getattr_all_fs',` gen_require(` attribute filesystem_type; - class filesystem getattr; ') allow $1 filesystem_type:filesystem getattr; @@ -2604,7 +2482,6 @@ interface(`fs_getattr_all_fs',` interface(`fs_dontaudit_getattr_all_fs',` gen_require(` attribute filesystem_type; - class filesystem getattr; ') dontaudit $1 filesystem_type:filesystem getattr; @@ -2621,7 +2498,6 @@ interface(`fs_dontaudit_getattr_all_fs',` interface(`fs_get_all_fs_quotas',` gen_require(` attribute filesystem_type; - class filesystem quotaget; ') allow $1 filesystem_type:filesystem quotaget; @@ -2638,7 +2514,6 @@ interface(`fs_get_all_fs_quotas',` interface(`fs_set_all_quotas',` gen_require(` attribute filesystem_type; - class filesystem quotamod; ') allow $1 filesystem_type:filesystem quotamod; @@ -2705,7 +2580,6 @@ interface(`fs_search_all',` interface(`fs_list_all',` gen_require(` attribute filesystem_type; - class dir r_dir_perms; ') allow $1 filesystem_type:dir r_dir_perms; diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te index 896ecdd..e5f3996 100644 --- a/refpolicy/policy/modules/kernel/kernel.te +++ b/refpolicy/policy/modules/kernel/kernel.te @@ -139,8 +139,8 @@ sid any_socket gen_context(system_u:object_r:unlabeled_t,s15:c0.c255) sid file_labels gen_context(system_u:object_r:unlabeled_t,s0) sid icmp_socket gen_context(system_u:object_r:unlabeled_t,s15:c0.c255) sid igmp_packet gen_context(system_u:object_r:unlabeled_t,s15:c0.c255) -sid init gen_context(system_u:object_r:unlabeled_t,s0) -sid kmod gen_context(system_u:object_r:unlabeled_t,s15:c0.c255) +sid init gen_context(system_u:object_r:unlabeled_t,s0) +sid kmod gen_context(system_u:object_r:unlabeled_t,s15:c0.c255) sid netmsg gen_context(system_u:object_r:unlabeled_t,s15:c0.c255) sid policy gen_context(system_u:object_r:unlabeled_t,s15:c0.c255) sid scmp_packet gen_context(system_u:object_r:unlabeled_t,s15:c0.c255) diff --git a/refpolicy/policy/modules/kernel/storage.if b/refpolicy/policy/modules/kernel/storage.if index 5f1f1f8..df6f2b2 100644 --- a/refpolicy/policy/modules/kernel/storage.if +++ b/refpolicy/policy/modules/kernel/storage.if @@ -12,7 +12,6 @@ interface(`storage_getattr_fixed_disk',` gen_require(` type fixed_disk_device_t; - class blk_file getattr; ') dev_list_all_dev_nodes($1) @@ -31,7 +30,6 @@ interface(`storage_getattr_fixed_disk',` interface(`storage_dontaudit_getattr_fixed_disk',` gen_require(` type fixed_disk_device_t; - class blk_file getattr; ') dontaudit $1 fixed_disk_device_t:blk_file getattr; @@ -49,7 +47,6 @@ interface(`storage_dontaudit_getattr_fixed_disk',` interface(`storage_setattr_fixed_disk',` gen_require(` type fixed_disk_device_t; - class blk_file setattr; ') dev_list_all_dev_nodes($1) @@ -88,7 +85,6 @@ interface(`storage_raw_read_fixed_disk',` gen_require(` attribute fixed_disk_raw_read; type fixed_disk_device_t; - class blk_file r_file_perms; ') dev_list_all_dev_nodes($1) @@ -166,7 +162,6 @@ interface(`storage_create_fixed_disk',` gen_require(` attribute fixed_disk_raw_read, fixed_disk_raw_write; type fixed_disk_device_t; - class blk_file create_file_perms; ') allow $1 fixed_disk_device_t:blk_file create_file_perms; @@ -186,7 +181,6 @@ interface(`storage_manage_fixed_disk',` gen_require(` attribute fixed_disk_raw_read, fixed_disk_raw_write; type fixed_disk_device_t; - class blk_file create_file_perms; ') dev_list_all_dev_nodes($1) @@ -206,7 +200,6 @@ interface(`storage_create_fixed_disk_tmpfs',` gen_require(` attribute fixed_disk_raw_read, fixed_disk_raw_write; type fixed_disk_device_t; - class blk_file create_file_perms; ') allow $1 fixed_disk_device_t:blk_file create_file_perms; @@ -226,7 +219,6 @@ interface(`storage_create_fixed_disk_tmpfs',` interface(`storage_relabel_fixed_disk',` gen_require(` type fixed_disk_device_t; - class blk_file { relabelfrom relabelto }; ') dev_list_all_dev_nodes($1) @@ -244,7 +236,6 @@ interface(`storage_relabel_fixed_disk',` interface(`storage_swapon_fixed_disk',` gen_require(` type fixed_disk_device_t; - class blk_file { getattr swapon }; ') dev_list_all_dev_nodes($1) @@ -266,7 +257,6 @@ interface(`storage_raw_read_lvm_volume',` gen_require(` attribute fixed_disk_raw_read; type lvm_vg_t; - class blk_file r_file_perms; ') dev_list_all_dev_nodes($1) @@ -289,7 +279,6 @@ interface(`storage_raw_write_lvm_volume',` gen_require(` attribute fixed_disk_raw_write; type lvm_vg_t; - class blk_file { getattr write ioctl }; ') dev_list_all_dev_nodes($1) @@ -426,7 +415,6 @@ interface(`storage_dontaudit_rw_scsi_generic',` interface(`storage_getattr_removable_device',` gen_require(` type removable_device_t; - class blk_file getattr; ') dev_list_all_dev_nodes($1) @@ -445,7 +433,6 @@ interface(`storage_getattr_removable_device',` interface(`storage_dontaudit_getattr_removable_device',` gen_require(` type removable_device_t; - class blk_file getattr; ') dontaudit $1 removable_device_t:blk_file getattr; @@ -463,7 +450,6 @@ interface(`storage_dontaudit_getattr_removable_device',` interface(`storage_dontaudit_read_removable_device',` gen_require(` type removable_device_t; - class blk_file { getattr ioctl read }; ') @@ -482,7 +468,6 @@ interface(`storage_dontaudit_read_removable_device',` interface(`storage_setattr_removable_device',` gen_require(` type removable_device_t; - class blk_file setattr; ') dev_list_all_dev_nodes($1) @@ -501,7 +486,6 @@ interface(`storage_setattr_removable_device',` interface(`storage_dontaudit_setattr_removable_device',` gen_require(` type removable_device_t; - class blk_file setattr; ') dontaudit $1 removable_device_t:blk_file setattr; @@ -522,7 +506,6 @@ interface(`storage_dontaudit_setattr_removable_device',` interface(`storage_raw_read_removable_device',` gen_require(` type removable_device_t; - class blk_file r_file_perms; ') dev_list_all_dev_nodes($1) @@ -560,7 +543,6 @@ interface(`storage_dontaudit_raw_read_removable_device',` interface(`storage_raw_write_removable_device',` gen_require(` type removable_device_t; - class blk_file { getattr write ioctl }; ') dev_list_all_dev_nodes($1) diff --git a/refpolicy/policy/modules/kernel/terminal.if b/refpolicy/policy/modules/kernel/terminal.if index 4380d04..978b5f0 100644 --- a/refpolicy/policy/modules/kernel/terminal.if +++ b/refpolicy/policy/modules/kernel/terminal.if @@ -240,7 +240,6 @@ interface(`term_setattr_console',` interface(`term_dontaudit_getattr_pty_dir',` gen_require(` type devpts_t; - class dir getattr; ') dontaudit $1 devpts_t:dir getattr; @@ -293,7 +292,6 @@ interface(`term_dontaudit_search_ptys',` interface(`term_list_ptys',` gen_require(` type devpts_t; - class dir r_dir_perms; ') dev_list_all_dev_nodes($1) @@ -312,7 +310,6 @@ interface(`term_list_ptys',` interface(`term_dontaudit_list_ptys',` gen_require(` type devpts_t; - class dir { getattr search read }; ') dontaudit $1 devpts_t:dir { getattr search read }; @@ -330,7 +327,6 @@ interface(`term_dontaudit_list_ptys',` interface(`term_dontaudit_manage_pty_dir',` gen_require(` type devpts_t; - class dir create_dir_perms; ') dontaudit $1 devpts_t:dir create_dir_perms; @@ -388,7 +384,6 @@ interface(`term_use_generic_pty',` interface(`term_dontaudit_use_generic_pty',` gen_require(` type devpts_t; - class chr_file { read write }; ') dontaudit $1 devpts_t:chr_file { read write }; @@ -440,7 +435,6 @@ interface(`term_use_ptmx',` interface(`term_dontaudit_use_ptmx',` gen_require(` type ptmx_t; - class chr_file { getattr read write }; ') dontaudit $1 ptmx_t:chr_file { getattr read write }; @@ -458,8 +452,6 @@ interface(`term_dontaudit_use_ptmx',` interface(`term_getattr_all_user_ptys',` gen_require(` attribute ptynode; - class dir r_dir_perms; - class chr_file getattr; ') dev_list_all_dev_nodes($1) @@ -480,7 +472,6 @@ interface(`term_getattr_all_user_ptys',` interface(`term_dontaudit_getattr_all_user_ptys',` gen_require(` attribute ptynode; - class chr_file getattr; ') dev_list_all_dev_nodes($1) @@ -500,8 +491,6 @@ interface(`term_dontaudit_getattr_all_user_ptys',` interface(`term_setattr_all_user_ptys',` gen_require(` attribute ptynode; - class dir r_dir_perms; - class chr_file setattr; ') dev_list_all_dev_nodes($1) @@ -520,7 +509,6 @@ interface(`term_setattr_all_user_ptys',` interface(`term_relabelto_all_user_ptys',` gen_require(` attribute ptynode; - class chr_file relabelto; ') allow $1 ptynode:chr_file relabelto; @@ -575,7 +563,6 @@ interface(`term_relabel_all_user_ptys',` gen_require(` attribute ptynode; type devpts_t; - class chr_file { relabelfrom relabelto }; ') dev_list_all_dev_nodes($1) @@ -595,7 +582,6 @@ interface(`term_relabel_all_user_ptys',` interface(`term_getattr_unallocated_ttys',` gen_require(` type tty_device_t; - class chr_file getattr; ') dev_list_all_dev_nodes($1) @@ -614,7 +600,6 @@ interface(`term_getattr_unallocated_ttys',` interface(`term_dontaudit_getattr_unallocated_ttys',` gen_require(` type tty_device_t; - class chr_file getattr; ') dontaudit $1 tty_device_t:chr_file getattr; @@ -632,7 +617,6 @@ interface(`term_dontaudit_getattr_unallocated_ttys',` interface(`term_setattr_unallocated_ttys',` gen_require(` type tty_device_t; - class chr_file setattr; ') dev_list_all_dev_nodes($1) @@ -668,7 +652,6 @@ interface(`term_dontaudit_ioctl_unallocated_ttys',` interface(`term_relabel_unallocated_ttys',` gen_require(` type tty_device_t; - class chr_file { relabelfrom relabelto }; ') dev_list_all_dev_nodes($1) @@ -688,7 +671,6 @@ interface(`term_reset_tty_labels',` gen_require(` attribute ttynode; type tty_device_t; - class chr_file { relabelfrom relabelto }; ') dev_list_all_dev_nodes($1) @@ -707,7 +689,6 @@ interface(`term_reset_tty_labels',` interface(`term_write_unallocated_ttys',` gen_require(` type tty_device_t; - class chr_file { getattr write }; ') dev_list_all_dev_nodes($1) @@ -743,7 +724,6 @@ interface(`term_use_unallocated_tty',` interface(`term_dontaudit_use_unallocated_tty',` gen_require(` type tty_device_t; - class chr_file { read write }; ') dontaudit $1 tty_device_t:chr_file { read write }; @@ -761,7 +741,6 @@ interface(`term_dontaudit_use_unallocated_tty',` interface(`term_getattr_all_user_ttys',` gen_require(` attribute ttynode; - class chr_file getattr; ') dev_list_all_dev_nodes($1) @@ -781,7 +760,6 @@ interface(`term_getattr_all_user_ttys',` interface(`term_dontaudit_getattr_all_user_ttys',` gen_require(` attribute ttynode; - class chr_file getattr; ') dev_list_all_dev_nodes($1) @@ -800,7 +778,6 @@ interface(`term_dontaudit_getattr_all_user_ttys',` interface(`term_setattr_all_user_ttys',` gen_require(` attribute ttynode; - class chr_file setattr; ') dev_list_all_dev_nodes($1) @@ -819,7 +796,6 @@ interface(`term_setattr_all_user_ttys',` interface(`term_relabel_all_user_ttys',` gen_require(` attribute ttynode; - class chr_file { relabelfrom relabelto }; ') dev_list_all_dev_nodes($1) @@ -837,7 +813,6 @@ interface(`term_relabel_all_user_ttys',` interface(`term_write_all_user_ttys',` gen_require(` attribute ttynode; - class chr_file { getattr write }; ') dev_list_all_dev_nodes($1) @@ -873,7 +848,6 @@ interface(`term_use_all_user_ttys',` interface(`term_dontaudit_use_all_user_ttys',` gen_require(` attribute ttynode; - class chr_file { read write }; ') dontaudit $1 ttynode:chr_file { read write }; diff --git a/refpolicy/policy/modules/services/arpwatch.if b/refpolicy/policy/modules/services/arpwatch.if index 2e0dedd..87ef19e 100644 --- a/refpolicy/policy/modules/services/arpwatch.if +++ b/refpolicy/policy/modules/services/arpwatch.if @@ -77,7 +77,6 @@ interface(`arpwatch_manage_tmp_files',` interface(`arpwatch_dontaudit_rw_packet_socket',` gen_require(` type arpwatch_t; - class packet_socket { read write }; ') dontaudit $1 arpwatch_t:packet_socket { read write }; diff --git a/refpolicy/policy/modules/services/cron.if b/refpolicy/policy/modules/services/cron.if index 477327c..c7a097f 100644 --- a/refpolicy/policy/modules/services/cron.if +++ b/refpolicy/policy/modules/services/cron.if @@ -313,9 +313,6 @@ template(`cron_admin_template',` interface(`cron_system_entry',` gen_require(` type crond_t, system_crond_t; - class fd use; - class fifo_file rw_file_perms; - class process sigchld; ') domain_auto_trans(system_crond_t, $2, $1) @@ -344,7 +341,6 @@ interface(`cron_system_entry',` interface(`cron_use_fd',` gen_require(` type crond_t; - class fd use; ') allow $1 crond_t:fd use; @@ -361,7 +357,6 @@ interface(`cron_use_fd',` interface(`cron_sigchld',` gen_require(` type crond_t; - class process sigchld; ') allow $1 crond_t:process sigchld; @@ -443,7 +438,6 @@ interface(`cron_crw_tcp_socket',` interface(`cron_search_spool',` gen_require(` type cron_spool_t; - class dir search; ') files_search_spool($1) @@ -499,7 +493,6 @@ interface(`cron_use_system_job_fd',` interface(`cron_write_system_job_pipe',` gen_require(` type system_crond_t; - class file write; ') allow $1 system_crond_t:file write; @@ -532,7 +525,6 @@ interface(`cron_rw_system_job_pipe',` interface(`cron_read_system_job_tmp_files',` gen_require(` type system_crond_tmp_t; - class file r_file_perms; ') files_search_tmp($1) diff --git a/refpolicy/policy/modules/services/dhcp.if b/refpolicy/policy/modules/services/dhcp.if index 4a40fbc..003671d 100644 --- a/refpolicy/policy/modules/services/dhcp.if +++ b/refpolicy/policy/modules/services/dhcp.if @@ -12,7 +12,6 @@ interface(`dhcpd_setattr_state_files',` gen_require(` type dhcpd_state_t; - class file setattr; ') sysnet_search_dhcp_state($1) diff --git a/refpolicy/policy/modules/services/dictd.if b/refpolicy/policy/modules/services/dictd.if index 26f27aa..5fc1baa 100644 --- a/refpolicy/policy/modules/services/dictd.if +++ b/refpolicy/policy/modules/services/dictd.if @@ -12,7 +12,6 @@ interface(`dictd_use',` gen_require(` type dictd_t; - class tcp_socket { connectto acceptfrom recvfrom }; ') allow $1 dictd_t:tcp_socket { connectto recvfrom }; diff --git a/refpolicy/policy/modules/services/dovecot.if b/refpolicy/policy/modules/services/dovecot.if index 49ef250..a14c5b9 100644 --- a/refpolicy/policy/modules/services/dovecot.if +++ b/refpolicy/policy/modules/services/dovecot.if @@ -11,9 +11,6 @@ interface(`dovecot_manage_spool',` gen_require(` type dovecot_spool_t; - class dir rw_dir_perms; - class file create_file_perms; - class lnk_file create_lnk_perms; ') allow $1 dovecot_spool_t:dir rw_dir_perms; diff --git a/refpolicy/policy/modules/services/inetd.if b/refpolicy/policy/modules/services/inetd.if index 042e679..9c66cb1 100644 --- a/refpolicy/policy/modules/services/inetd.if +++ b/refpolicy/policy/modules/services/inetd.if @@ -24,9 +24,6 @@ interface(`inetd_core_service_domain',` gen_require(` type inetd_t; role system_r; - class fd use; - class fifo_file rw_file_perms; - class process { sigchld sigkill }; ') domain_type($1) @@ -92,7 +89,6 @@ interface(`inetd_tcp_service_domain',` gen_require(` type inetd_t; - class tcp_socket rw_stream_socket_perms; ') inetd_core_service_domain($1,$2) @@ -114,7 +110,6 @@ interface(`inetd_tcp_service_domain',` interface(`inetd_udp_service_domain',` gen_require(` type inetd_t; - class udp_socket rw_socket_perms; ') inetd_core_service_domain($1,$2) @@ -136,8 +131,6 @@ interface(`inetd_udp_service_domain',` interface(`inetd_service_domain',` gen_require(` type inetd_t; - class tcp_socket rw_stream_socket_perms; - class udp_socket rw_socket_perms; ') inetd_core_service_domain($1,$2) @@ -157,7 +150,6 @@ interface(`inetd_service_domain',` interface(`inetd_use_fd',` gen_require(` type inetd_t; - class fd use; ') allow $1 inetd_t:fd use; @@ -174,7 +166,6 @@ interface(`inetd_use_fd',` interface(`inetd_tcp_connect',` gen_require(` type inetd_t; - class tcp_socket { connectto acceptfrom recvfrom }; ') allow $1 inetd_t:tcp_socket { connectto recvfrom }; @@ -193,9 +184,6 @@ interface(`inetd_tcp_connect',` interface(`inetd_domtrans_child',` gen_require(` type inetd_child_t, inetd_child_exec_t; - class process sigchld; - class fd use; - class fifo_file rw_file_perms; ') corecmd_search_sbin($1) diff --git a/refpolicy/policy/modules/services/inn.if b/refpolicy/policy/modules/services/inn.if index e165690..d1aa502 100644 --- a/refpolicy/policy/modules/services/inn.if +++ b/refpolicy/policy/modules/services/inn.if @@ -45,7 +45,6 @@ interface(`inn_exec_config',` interface(`inn_manage_log',` gen_require(` type innd_log_t; - class file create_file_perms; ') logging_rw_log_dir($1) @@ -64,8 +63,6 @@ interface(`inn_manage_log',` interface(`inn_manage_pid',` gen_require(` type innd_var_run_t; - class dir rw_dir_perms; - class file create_file_perms; ') files_search_pids($1) @@ -85,9 +82,6 @@ interface(`inn_manage_pid',` interface(`inn_read_config',` gen_require(` type innd_etc_t; - class dir { getattr read search }; - class file { read getattr }; - class lnk_file { getattr read }; ') allow $1 innd_etc_t:dir { getattr read search }; @@ -106,9 +100,6 @@ interface(`inn_read_config',` interface(`inn_read_news_lib',` gen_require(` type innd_var_lib_t; - class dir { getattr read search }; - class file { read getattr }; - class lnk_file { getattr read }; ') allow $1 innd_var_lib_t:dir { getattr read search }; @@ -127,9 +118,6 @@ interface(`inn_read_news_lib',` interface(`inn_read_news_spool',` gen_require(` type news_spool_t; - class dir { getattr read search }; - class file { read getattr }; - class lnk_file { getattr read }; ') allow $1 news_spool_t:dir { getattr read search }; @@ -148,7 +136,6 @@ interface(`inn_read_news_spool',` interface(`inn_sendto_unix_dgram_socket',` gen_require(` type innd_t; - class unix_dgram_socket sendto; ') allow $1 innd_t:unix_dgram_socket sendto; diff --git a/refpolicy/policy/modules/services/ldap.if b/refpolicy/policy/modules/services/ldap.if index 2f3b0ea..d0ee988 100644 --- a/refpolicy/policy/modules/services/ldap.if +++ b/refpolicy/policy/modules/services/ldap.if @@ -12,7 +12,6 @@ interface(`ldap_list_db_dir',` gen_require(` type slapd_db_t; - class dir r_dir_perms; ') allow $1 slapd_db_t:dir r_dir_perms; @@ -29,7 +28,6 @@ interface(`ldap_list_db_dir',` interface(`ldap_read_config',` gen_require(` type slapd_etc_t; - class file { getattr read }; ') files_search_etc($1) diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if index 3ed30bd..a9451c9 100644 --- a/refpolicy/policy/modules/services/mta.if +++ b/refpolicy/policy/modules/services/mta.if @@ -492,7 +492,6 @@ interface(`mta_read_config',` interface(`mta_read_aliases',` gen_require(` type etc_aliases_t; - class file r_file_perms; ') files_search_etc($1) @@ -523,7 +522,6 @@ interface(`mta_filetrans_etc_aliases',` interface(`mta_rw_aliases',` gen_require(` type etc_aliases_t; - class file { rw_file_perms setattr }; ') files_search_etc($1) @@ -577,7 +575,6 @@ interface(`mta_tcp_connect_all_mailservers',` interface(`mta_dontaudit_read_spool_symlink',` gen_require(` type mail_spool_t; - class lnk_file read; ') dontaudit $1 mail_spool_t:lnk_file read; @@ -590,9 +587,6 @@ interface(`mta_dontaudit_read_spool_symlink',` interface(`mta_getattr_spool',` gen_require(` type mail_spool_t; - class dir r_dir_perms; - class file getattr; - class lnk_file read; ') files_search_spool($1) @@ -639,9 +633,6 @@ interface(`mta_filetrans_spool',` interface(`mta_rw_spool',` gen_require(` type mail_spool_t; - class dir r_dir_perms; - class lnk_file { getattr read }; - class file { rw_file_perms setattr }; ') files_search_spool($1) @@ -661,9 +652,6 @@ interface(`mta_rw_spool',` interface(`mta_append_spool',` gen_require(` type mail_spool_t; - class dir ra_dir_perms; - class lnk_file { getattr read }; - class file create_file_perms; ') files_search_spool($1) @@ -729,8 +717,6 @@ interface(`mta_dontaudit_rw_queue',` interface(`mta_manage_queue',` gen_require(` type mqueue_spool_t; - class dir rw_dir_perms; - class file create_file_perms; ') files_search_spool($1) diff --git a/refpolicy/policy/modules/services/ntp.if b/refpolicy/policy/modules/services/ntp.if index a77fef5..d47c47e 100644 --- a/refpolicy/policy/modules/services/ntp.if +++ b/refpolicy/policy/modules/services/ntp.if @@ -25,9 +25,6 @@ interface(`ntp_stub',` interface(`ntp_domtrans',` gen_require(` type ntpd_t, ntpd_exec_t; - class process sigchld; - class fd use; - class fifo_file rw_file_perms; ') corecmd_search_sbin($1) @@ -50,9 +47,6 @@ interface(`ntp_domtrans',` interface(`ntp_domtrans_ntpdate',` gen_require(` type ntpd_t, ntpdate_exec_t; - class process sigchld; - class fd use; - class fifo_file rw_file_perms; ') corecmd_search_sbin($1) diff --git a/refpolicy/policy/modules/services/portmap.if b/refpolicy/policy/modules/services/portmap.if index ba50160..b0ae4a4 100644 --- a/refpolicy/policy/modules/services/portmap.if +++ b/refpolicy/policy/modules/services/portmap.if @@ -11,9 +11,6 @@ interface(`portmap_domtrans_helper',` gen_require(` type portmap_helper_t, portmap_helper_exec_t; - class process sigchld; - class fd use; - class fifo_file rw_file_perms; ') corecmd_search_bin($1) @@ -44,7 +41,6 @@ interface(`portmap_domtrans_helper',` interface(`portmap_run_helper',` gen_require(` type portmap_t, portmap_helper_t; - class chr_file { getattr read write ioctl }; ') portmap_domtrans_helper($1) @@ -71,7 +67,6 @@ interface(`portmap_run_helper',` interface(`portmap_udp_sendto',` gen_require(` type portmap_t; - class udp_socket { sendto recvfrom }; ') allow $1 portmap_t:udp_socket sendto; diff --git a/refpolicy/policy/modules/services/rshd.if b/refpolicy/policy/modules/services/rshd.if index 9538cb0..daee569 100644 --- a/refpolicy/policy/modules/services/rshd.if +++ b/refpolicy/policy/modules/services/rshd.if @@ -11,9 +11,6 @@ interface(`rshd_domtrans',` gen_require(` type rshd_exec_t, rshd_t; - class process sigchld; - class fd use; - class fifo_file rw_file_perms; ') files_search_usr($1) diff --git a/refpolicy/policy/modules/services/zebra.if b/refpolicy/policy/modules/services/zebra.if index 781cb1e..cc57721 100644 --- a/refpolicy/policy/modules/services/zebra.if +++ b/refpolicy/policy/modules/services/zebra.if @@ -11,9 +11,6 @@ interface(`zebra_read_config',` gen_require(` type zebra_conf_t; - class file r_file_perms; - class dir r_dir_perms; - class lnk_file r_file_perms; ') files_search_etc($1) diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if index 583b3c9..519a80a 100644 --- a/refpolicy/policy/modules/system/authlogin.if +++ b/refpolicy/policy/modules/system/authlogin.if @@ -210,9 +210,6 @@ interface(`auth_login_entry_type',` interface(`auth_domtrans_login_program',` gen_require(` type login_exec_t; - class process sigchld; - class fd use; - class fifo_file rw_file_perms; ') corecmd_search_bin($1) @@ -235,10 +232,6 @@ interface(`auth_domtrans_login_program',` interface(`auth_domtrans_chk_passwd',` gen_require(` type system_chkpwd_t, chkpwd_exec_t, shadow_t; - class process sigchld; - class udp_socket create_socket_perms; - class fd use; - class fifo_file rw_file_perms; ') corecmd_search_sbin($1) @@ -286,7 +279,6 @@ interface(`auth_domtrans_chk_passwd',` interface(`auth_getattr_shadow',` gen_require(` type shadow_t; - class file getattr; ') files_search_etc($1) @@ -305,7 +297,6 @@ interface(`auth_getattr_shadow',` interface(`auth_dontaudit_getattr_shadow',` gen_require(` type shadow_t; - class file getattr; ') dontaudit $1 shadow_t:file getattr; @@ -339,7 +330,6 @@ interface(`auth_can_read_shadow_passwords',` interface(`auth_tunable_read_shadow',` gen_require(` type shadow_t; - class file r_file_perms; ') files_list_etc($1) @@ -358,7 +348,6 @@ interface(`auth_tunable_read_shadow',` interface(`auth_dontaudit_read_shadow',` gen_require(` type shadow_t; - class file r_file_perms; ') dontaudit $1 shadow_t:file { getattr read }; @@ -376,7 +365,6 @@ interface(`auth_rw_shadow',` gen_require(` attribute can_read_shadow_passwords, can_write_shadow_passwords; type shadow_t; - class file rw_file_perms; ') files_list_etc($1) @@ -392,7 +380,6 @@ interface(`auth_manage_shadow',` gen_require(` attribute can_read_shadow_passwords, can_write_shadow_passwords; type shadow_t; - class file create_file_perms; ') allow $1 shadow_t:file create_file_perms; @@ -452,7 +439,6 @@ interface(`auth_relabel_shadow',` interface(`auth_append_faillog',` gen_require(` type faillog_t; - class file { getattr append }; ') logging_search_logs($1) @@ -466,7 +452,6 @@ interface(`auth_append_faillog',` interface(`auth_rw_faillog',` gen_require(` type faillog_t; - class file rw_file_perms; ') logging_search_logs($1) @@ -562,7 +547,6 @@ interface(`auth_domtrans_pam',` interface(`auth_run_pam',` gen_require(` type pam_t; - class chr_file rw_file_perms; ') auth_domtrans_pam($1) @@ -648,8 +632,6 @@ interface(`auth_dontaudit_read_pam_pid',` interface(`auth_delete_pam_pid',` gen_require(` type pam_var_run_t; - class dir { getattr search read write remove_name }; - class file { getattr unlink }; ') files_search_var($1) @@ -683,9 +665,6 @@ interface(`auth_manage_pam_pid',` interface(`auth_domtrans_pam_console',` gen_require(` type pam_console_t, pam_console_exec_t; - class process sigchld; - class fd use; - class fifo_file rw_file_perms; ') domain_auto_trans($1,pam_console_exec_t,pam_console_t) @@ -736,8 +715,6 @@ interface(`auth_list_pam_console_data',` interface(`auth_read_pam_console_data',` gen_require(` type pam_var_console_t; - class dir r_dir_perms; - class file r_file_perms; ') files_search_var($1) @@ -753,9 +730,6 @@ interface(`auth_read_pam_console_data',` interface(`auth_manage_pam_console_data',` gen_require(` type pam_var_console_t; - class dir rw_dir_perms; - class file create_file_perms; - class lnk_file create_lnk_perms; ') files_search_var($1) @@ -902,9 +876,6 @@ interface(`auth_manage_all_files_except_shadow',` interface(`auth_domtrans_utempter',` gen_require(` type utempter_t, utempter_exec_t; - class process sigchld; - class fd use; - class fifo_file rw_file_perms; ') domain_auto_trans($1,utempter_exec_t,utempter_t) @@ -932,7 +903,6 @@ interface(`auth_domtrans_utempter',` interface(`auth_run_utempter',` gen_require(` type utempter_t; - class chr_file rw_file_perms; ') auth_domtrans_utempter($1) @@ -976,7 +946,6 @@ interface(`auth_setattr_login_records',` interface(`auth_read_login_records',` gen_require(` type wtmp_t; - class file r_file_perms; ') logging_search_logs($1) @@ -990,7 +959,6 @@ interface(`auth_read_login_records',` interface(`auth_dontaudit_write_login_records',` gen_require(` type wtmp_t; - class file write; ') dontaudit $1 wtmp_t:file write; @@ -1035,7 +1003,6 @@ interface(`auth_write_login_records',` interface(`auth_rw_login_records',` gen_require(` type wtmp_t; - class file rw_file_perms; ') allow $1 wtmp_t:file rw_file_perms; @@ -1061,7 +1028,6 @@ interface(`auth_filetrans_login_records',` interface(`auth_manage_login_records',` gen_require(` type wtmp_t; - class file create_file_perms; ') logging_rw_log_dir($1) diff --git a/refpolicy/policy/modules/system/clock.if b/refpolicy/policy/modules/system/clock.if index 46a3aee..050bb43 100644 --- a/refpolicy/policy/modules/system/clock.if +++ b/refpolicy/policy/modules/system/clock.if @@ -11,8 +11,6 @@ interface(`clock_domtrans',` gen_require(` type hwclock_t, hwclock_exec_t; - class fd use; - class fifo_file rw_file_perms; ') domain_auto_trans($1,hwclock_exec_t,hwclock_t) @@ -41,7 +39,6 @@ interface(`clock_domtrans',` interface(`clock_run',` gen_require(` type hwclock_t; - class chr_file { getattr read write ioctl }; ') clock_domtrans($1) @@ -76,7 +73,6 @@ interface(`clock_exec',` interface(`clock_rw_adjtime',` gen_require(` type adjtime_t; - class file rw_file_perms; ') allow $1 adjtime_t:file rw_file_perms; diff --git a/refpolicy/policy/modules/system/fstools.if b/refpolicy/policy/modules/system/fstools.if index f6a52b9..c3e24ba 100644 --- a/refpolicy/policy/modules/system/fstools.if +++ b/refpolicy/policy/modules/system/fstools.if @@ -11,8 +11,6 @@ interface(`fstools_domtrans',` gen_require(` type fsadm_t, fsadm_exec_t; - class fd use; - class fifo_file rw_file_perms; ') corecmd_search_sbin($1) @@ -42,7 +40,6 @@ interface(`fstools_domtrans',` interface(`fstools_run',` gen_require(` type fsadm_t; - class chr_file { getattr read write ioctl }; ') fstools_domtrans($1) @@ -95,7 +92,6 @@ interface(`fstools_relabelto_entry_files',` interface(`fstools_manage_entry_files',` gen_require(` type fsadm_exec_t; - class file create_file_perms; ') allow $1 fsadm_exec_t:file create_file_perms; diff --git a/refpolicy/policy/modules/system/hostname.if b/refpolicy/policy/modules/system/hostname.if index a1d2ba1..b6daa3f 100644 --- a/refpolicy/policy/modules/system/hostname.if +++ b/refpolicy/policy/modules/system/hostname.if @@ -11,9 +11,6 @@ interface(`hostname_domtrans',` gen_require(` type hostname_t, hostname_exec_t; - class process sigchld; - class fd use; - class fifo_file rw_file_perms; ') corecmd_search_bin($1) @@ -43,7 +40,6 @@ interface(`hostname_domtrans',` interface(`hostname_run',` gen_require(` type hostname_t; - class chr_file { getattr read write ioctl }; ') hostname_domtrans($1) diff --git a/refpolicy/policy/modules/system/hotplug.if b/refpolicy/policy/modules/system/hotplug.if index 7e10b6a..4971f29 100644 --- a/refpolicy/policy/modules/system/hotplug.if +++ b/refpolicy/policy/modules/system/hotplug.if @@ -10,9 +10,6 @@ interface(`hotplug_domtrans',` gen_require(` type hotplug_t, hotplug_exec_t; - class process sigchld; - class fd use; - class fifo_file rw_file_perms; ') corecmd_search_sbin($1) @@ -44,7 +41,6 @@ interface(`hotplug_exec',` interface(`hotplug_use_fd',` gen_require(` type hotplug_t; - class fd use; ') allow $1 hotplug_t:fd use; @@ -57,7 +53,6 @@ interface(`hotplug_use_fd',` interface(`hotplug_dontaudit_use_fd',` gen_require(` type hotplug_t; - class fd use; ') dontaudit $1 hotplug_t:fd use; @@ -70,7 +65,6 @@ interface(`hotplug_dontaudit_use_fd',` interface(`hotplug_dontaudit_search_config',` gen_require(` type hotplug_etc_t; - class dir search; ') dontaudit $1 hotplug_etc_t:dir search; @@ -87,7 +81,6 @@ interface(`hotplug_dontaudit_search_config',` interface(`hotplug_getattr_config_dir',` gen_require(` type hotplug_etc_t; - class dir getattr; ') allow $1 hotplug_etc_t:dir getattr; @@ -104,7 +97,6 @@ interface(`hotplug_getattr_config_dir',` interface(`hotplug_search_config',` gen_require(` type hotplug_etc_t; - class dir { getattr search }; ') allow $1 hotplug_etc_t:dir { getattr search }; @@ -121,9 +113,6 @@ interface(`hotplug_search_config',` interface(`hotplug_read_config',` gen_require(` type hotplug_etc_t; - class file r_file_perms; - class dir r_dir_perms; - class lnk_file r_file_perms; ') files_search_etc($1) diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if index cff6c0f..bfb8c09 100644 --- a/refpolicy/policy/modules/system/init.if +++ b/refpolicy/policy/modules/system/init.if @@ -15,9 +15,6 @@ interface(`init_domain',` gen_require(` type init_t; role system_r; - class fd use; - class fifo_file rw_file_perms; - class process sigchld; ') domain_type($1) @@ -125,9 +122,6 @@ interface(`init_system_domain',` gen_require(` type initrc_t; role system_r; - class fd use; - class fifo_file rw_file_perms; - class process sigchld; ') domain_type($1) @@ -150,9 +144,6 @@ interface(`init_system_domain',` interface(`init_domtrans',` gen_require(` type init_t, init_exec_t; - class process sigchld; - class fd use; - class fifo_file rw_file_perms; ') domain_auto_trans($1,init_exec_t,init_t) @@ -187,7 +178,6 @@ interface(`init_exec',` interface(`init_get_process_group',` gen_require(` type init_t; - class process getpgid; ') allow $1 init_t:process getpgid; @@ -200,7 +190,6 @@ interface(`init_get_process_group',` interface(`init_getattr_initctl',` gen_require(` type initctl_t; - class fifo_file getattr; ') allow $1 initctl_t:fifo_file getattr; @@ -213,7 +202,6 @@ interface(`init_getattr_initctl',` interface(`init_dontaudit_getattr_initctl',` gen_require(` type initctl_t; - class fifo_file getattr; ') dontaudit $1 initctl_t:fifo_file getattr; @@ -226,7 +214,6 @@ interface(`init_dontaudit_getattr_initctl',` interface(`init_write_initctl',` gen_require(` type initctl_t; - class fifo_file write; ') dev_list_all_dev_nodes($1) @@ -240,7 +227,6 @@ interface(`init_write_initctl',` interface(`init_use_initctl',` gen_require(` type initctl_t; - class fifo_file rw_file_perms; ') dev_list_all_dev_nodes($1) @@ -254,7 +240,6 @@ interface(`init_use_initctl',` interface(`init_dontaudit_use_initctl',` gen_require(` type initctl_t; - class fifo_file { read write }; ') dontaudit $1 initctl_t:fifo_file { read write }; @@ -271,7 +256,6 @@ interface(`init_dontaudit_use_initctl',` interface(`init_signull',` gen_require(` type init_t; - class process signull; ') allow $1 init_t:process signull; @@ -288,7 +272,6 @@ interface(`init_signull',` interface(`init_sigchld',` gen_require(` type init_t; - class process sigchld; ') allow $1 init_t:process sigchld; @@ -301,7 +284,6 @@ interface(`init_sigchld',` interface(`init_use_fd',` gen_require(` type init_t; - class fd use; ') allow $1 init_t:fd use; @@ -314,7 +296,6 @@ interface(`init_use_fd',` interface(`init_dontaudit_use_fd',` gen_require(` type init_t; - class fd use; ') dontaudit $1 init_t:fd use; @@ -331,7 +312,6 @@ interface(`init_dontaudit_use_fd',` interface(`init_udp_sendto',` gen_require(` type init_t; - class udp_socket { sendto recvfrom }; ') allow $1 init_t:udp_socket sendto; @@ -381,7 +361,6 @@ interface(`init_run_daemon',` gen_require(` attribute direct_run_init, direct_init, direct_init_entry; role system_r; - class chr_file rw_file_perms; ') typeattribute $1 direct_run_init; @@ -433,7 +412,6 @@ interface(`init_getattr_script_entry_file',` interface(`init_read_script',` gen_require(` type initrc_exec_t; - class file { getattr read }; ') files_list_etc($1) @@ -464,10 +442,6 @@ interface(`init_exec_script',` interface(`init_read_script_process_state',` gen_require(` type initrc_t; - class dir r_dir_perms; - class file r_file_perms; - class lnk_file r_file_perms; - class process { getattr ptrace }; ') #FIXME: search proc dir @@ -489,7 +463,6 @@ interface(`init_read_script_process_state',` interface(`init_use_script_fd',` gen_require(` type initrc_t; - class fd use; ') allow $1 initrc_t:fd use; @@ -502,7 +475,6 @@ interface(`init_use_script_fd',` interface(`init_dontaudit_use_script_fd',` gen_require(` type initrc_t; - class fd use; ') dontaudit $1 initrc_t:fd use; @@ -515,7 +487,6 @@ interface(`init_dontaudit_use_script_fd',` interface(`init_get_script_process_group',` gen_require(` type initrc_t; - class process getpgid; ') allow $1 initrc_t:process getpgid; @@ -580,7 +551,6 @@ interface(`init_signull_script',` interface(`init_rw_script_pipe',` gen_require(` type initrc_t; - class chr_file { read write }; ') allow $1 initrc_t:fifo_file { read write }; @@ -597,7 +567,6 @@ interface(`init_rw_script_pipe',` interface(`init_udp_sendto_script',` gen_require(` type initrc_t; - class udp_socket { sendto recvfrom }; ') allow $1 initrc_t:udp_socket sendto; @@ -711,7 +680,6 @@ interface(`init_dontaudit_use_script_pty',` interface(`init_read_script_file',` gen_require(` type initrc_exec_t; - class file r_file_perms; ') files_search_etc($1) @@ -777,7 +745,6 @@ interface(`init_filetrans_script_tmp',` interface(`init_getattr_utmp',` gen_require(` type initrc_var_run_t; - class file getattr; ') allow $1 initrc_var_run_t:file getattr; @@ -790,7 +757,6 @@ interface(`init_getattr_utmp',` interface(`init_read_utmp',` gen_require(` type initrc_var_run_t; - class file r_file_perms; ') files_list_pids($1) @@ -804,7 +770,6 @@ interface(`init_read_utmp',` interface(`init_dontaudit_write_utmp',` gen_require(` type initrc_var_run_t; - class file { write lock }; ') dontaudit $1 initrc_var_run_t:file { write lock }; @@ -834,7 +799,6 @@ interface(`init_dontaudit_lock_utmp',` interface(`init_rw_utmp',` gen_require(` type initrc_var_run_t; - class file rw_file_perms; ') files_list_pids($1) @@ -848,7 +812,6 @@ interface(`init_rw_utmp',` interface(`init_dontaudit_rw_utmp',` gen_require(` type initrc_var_run_t; - class file rw_file_perms; ') dontaudit $1 initrc_var_run_t:file { getattr read write append }; diff --git a/refpolicy/policy/modules/system/ipsec.if b/refpolicy/policy/modules/system/ipsec.if index c48f7d3..0294ab2 100644 --- a/refpolicy/policy/modules/system/ipsec.if +++ b/refpolicy/policy/modules/system/ipsec.if @@ -11,9 +11,6 @@ interface(`ipsec_domtrans',` gen_require(` type ipsec_t, ipsec_exec_t; - class process sigchld; - class fd use; - class fifo_file rw_file_perms; ') domain_auto_trans($1,ipsec_exec_t,ipsec_t) @@ -35,9 +32,6 @@ interface(`ipsec_domtrans',` interface(`ipsec_stream_connect',` gen_require(` type ipsec_t, ipsec_var_run_t; - class dir search; - class sock_file write; - class unix_stream_socket connectto; ') files_search_pids($1) @@ -57,7 +51,6 @@ interface(`ipsec_stream_connect',` interface(`ipsec_getattr_key_socket',` gen_require(` type ipsec_t; - class key_socket getattr; ') allow $1 ipsec_t:key_socket getattr; @@ -90,7 +83,6 @@ interface(`ipsec_exec_mgmt',` interface(`ipsec_read_config',` gen_require(` type ipsec_conf_file_t; - class file r_file_perms; ') files_search_etc($1) @@ -108,8 +100,6 @@ interface(`ipsec_read_config',` interface(`ipsec_manage_pid',` gen_require(` type ipsec_var_run_t; - class dir rw_dir_perms; - class file create_file_perms; ') files_search_pids($1) diff --git a/refpolicy/policy/modules/system/libraries.if b/refpolicy/policy/modules/system/libraries.if index 8863b6a..ba832f8 100644 --- a/refpolicy/policy/modules/system/libraries.if +++ b/refpolicy/policy/modules/system/libraries.if @@ -39,7 +39,6 @@ interface(`libs_domtrans_ldconfig',` interface(`libs_run_ldconfig',` gen_require(` type ldconfig_t; - class chr_file rw_term_perms; ') libs_domtrans_ldconfig($1) @@ -59,9 +58,6 @@ interface(`libs_run_ldconfig',` interface(`libs_use_ld_so',` gen_require(` type lib_t, ld_so_t, ld_so_cache_t; - class dir r_dir_perms; - class lnk_file r_file_perms; - class file rx_file_perms; ') files_list_etc($1) @@ -84,7 +80,6 @@ interface(`libs_use_ld_so',` interface(`libs_legacy_use_ld_so',` gen_require(` type ld_so_t, ld_so_cache_t; - class file { execute execmod }; ') libs_use_ld_so($1) @@ -103,8 +98,6 @@ interface(`libs_legacy_use_ld_so',` interface(`libs_exec_ld_so',` gen_require(` type lib_t, ld_so_t; - class dir r_dir_perms; - class lnk_file r_file_perms; ') allow $1 lib_t:dir r_dir_perms; @@ -163,7 +156,6 @@ interface(`libs_relabel_ld_so',` interface(`libs_rw_ld_so_cache',` gen_require(` type ld_so_cache_t; - class file rw_file_perms; ') files_list_etc($1) @@ -181,7 +173,6 @@ interface(`libs_rw_ld_so_cache',` interface(`libs_search_lib',` gen_require(` type lib_t; - class dir search; ') allow $1 lib_t:dir search; @@ -199,9 +190,6 @@ interface(`libs_search_lib',` interface(`libs_read_lib',` gen_require(` type lib_t; - class dir r_dir_perms; - class lnk_file r_file_perms; - class file r_file_perms; ') files_search_usr($1) @@ -220,8 +208,6 @@ interface(`libs_read_lib',` interface(`libs_exec_lib_files',` gen_require(` type lib_t; - class dir r_dir_perms; - class lnk_file r_file_perms; ') files_search_usr($1) @@ -280,7 +266,6 @@ interface(`libs_manage_lib_files',` interface(`libs_relabelto_lib_files',` gen_require(` type lib_t; - class file relabelto; ') allow $1 lib_t:dir search_dir_perms; @@ -357,7 +342,6 @@ interface(`libs_use_shared_libs',` interface(`libs_legacy_use_shared_libs',` gen_require(` type shlib_t, textrel_shlib_t; - class file execmod; ') libs_use_shared_libs($1) diff --git a/refpolicy/policy/modules/system/locallogin.if b/refpolicy/policy/modules/system/locallogin.if index d370d54..8bfaee3 100644 --- a/refpolicy/policy/modules/system/locallogin.if +++ b/refpolicy/policy/modules/system/locallogin.if @@ -27,7 +27,6 @@ interface(`locallogin_domtrans',` interface(`locallogin_use_fd',` gen_require(` type local_login_t; - class fd use; ') allow $1 local_login_t:fd use; @@ -44,7 +43,6 @@ interface(`locallogin_use_fd',` interface(`locallogin_dontaudit_use_fd',` gen_require(` type local_login_t; - class fd use; ') dontaudit $1 local_login_t:fd use; @@ -61,7 +59,6 @@ interface(`locallogin_dontaudit_use_fd',` interface(`locallogin_signull',` gen_require(` type local_login_t; - class process signull; ') allow $1 local_login_t:process signull; diff --git a/refpolicy/policy/modules/system/logging.if b/refpolicy/policy/modules/system/logging.if index bb1f079..106ab76 100644 --- a/refpolicy/policy/modules/system/logging.if +++ b/refpolicy/policy/modules/system/logging.if @@ -70,9 +70,6 @@ interface(`logging_domtrans_auditctl',` interface(`logging_domtrans_syslog',` gen_require(` type syslogd_t, syslogd_exec_t; - class process sigchld; - class fd use; - class fifo_file rw_file_perms; ') corecmd_search_sbin($1) @@ -91,7 +88,6 @@ interface(`logging_domtrans_syslog',` interface(`logging_filetrans_log',` gen_require(` type var_log_t; - class dir rw_dir_perms; ') allow $1 var_log_t:dir rw_dir_perms; @@ -110,10 +106,6 @@ interface(`logging_filetrans_log',` interface(`logging_send_syslog_msg',` gen_require(` type syslogd_t, devlog_t; - class lnk_file read; - class sock_file rw_file_perms; - class unix_dgram_socket { create_socket_perms sendto }; - class unix_stream_socket { create_socket_perms connectto }; ') allow $1 devlog_t:lnk_file read; @@ -140,7 +132,6 @@ interface(`logging_send_syslog_msg',` interface(`logging_read_auditd_config',` gen_require(` type auditd_etc_t; - class file r_file_perms; ') files_search_etc($1) @@ -160,7 +151,6 @@ interface(`logging_read_auditd_config',` interface(`logging_search_logs',` gen_require(` type var_log_t; - class dir search; ') files_search_var($1) @@ -195,7 +185,6 @@ interface(`logging_list_logs',` interface(`logging_rw_log_dir',` gen_require(` type var_log_t; - class dir rw_dir_perms; ') files_search_var($1) @@ -209,7 +198,6 @@ interface(`logging_rw_log_dir',` interface(`logging_dontaudit_getattr_all_logs',` gen_require(` attribute logfile; - class file getattr; ') dontaudit $1 logfile:file getattr; @@ -223,8 +211,6 @@ interface(`logging_append_all_logs',` gen_require(` attribute logfile; type var_log_t; - class dir r_dir_perms; - class file { getattr append }; ') files_search_var($1) @@ -240,8 +226,6 @@ interface(`logging_read_all_logs',` gen_require(` attribute logfile; type var_log_t; - class dir r_dir_perms; - class file r_file_perms; ') files_search_var($1) @@ -262,7 +246,6 @@ interface(`logging_read_all_logs',` interface(`logging_exec_all_logs',` gen_require(` attribute logfile; - class dir r_dir_perms; ') files_search_var($1) @@ -277,8 +260,6 @@ interface(`logging_exec_all_logs',` interface(`logging_manage_all_logs',` gen_require(` attribute logfile; - class dir rw_dir_perms; - class file create_file_perms; ') files_search_var($1) @@ -294,8 +275,6 @@ interface(`logging_manage_all_logs',` interface(`logging_read_generic_logs',` gen_require(` type var_log_t; - class dir r_dir_perms; - class file r_file_perms; ') files_search_var($1) @@ -310,8 +289,6 @@ interface(`logging_read_generic_logs',` interface(`logging_write_generic_logs',` gen_require(` type var_log_t; - class dir r_dir_perms; - class file { getattr write }; ') files_search_var($1) @@ -330,8 +307,6 @@ interface(`logging_write_generic_logs',` interface(`logging_rw_generic_logs',` gen_require(` type var_log_t; - class dir r_dir_perms; - class file rw_file_perms; ') files_search_var($1) @@ -351,8 +326,6 @@ interface(`logging_rw_generic_logs',` interface(`logging_manage_generic_logs',` gen_require(` type var_log_t; - class dir rw_dir_perms; - class file create_file_perms; ') files_search_var($1) diff --git a/refpolicy/policy/modules/system/mount.if b/refpolicy/policy/modules/system/mount.if index 6d55b2f..56a6740 100644 --- a/refpolicy/policy/modules/system/mount.if +++ b/refpolicy/policy/modules/system/mount.if @@ -11,9 +11,6 @@ interface(`mount_domtrans',` gen_require(` type mount_t, mount_exec_t; - class process sigchld; - class fd use; - class fifo_file rw_file_perms; ') domain_auto_trans($1,mount_exec_t,mount_t) @@ -43,7 +40,6 @@ interface(`mount_domtrans',` interface(`mount_run',` gen_require(` type mount_t; - class chr_file rw_file_perms; ') mount_domtrans($1) @@ -81,7 +77,6 @@ interface(`mount_exec',` interface(`mount_use_fd',` gen_require(` type mount_t; - class fd use; ') allow $1 mount_t:fd use; @@ -99,7 +94,6 @@ interface(`mount_use_fd',` interface(`mount_send_nfs_client_request',` gen_require(` type mount_t; - class udp_socket rw_socket_perms; ') allow $1 mount_t:udp_socket rw_socket_perms; diff --git a/refpolicy/policy/modules/system/raid.if b/refpolicy/policy/modules/system/raid.if index 1981606..cfbcff9 100644 --- a/refpolicy/policy/modules/system/raid.if +++ b/refpolicy/policy/modules/system/raid.if @@ -11,9 +11,6 @@ interface(`raid_domtrans_mdadm',` gen_require(` type mdadm_t, mdadm_exec_t; - class process sigchld; - class fd use; - class fifo_file rw_file_perms; ') corecmd_search_sbin($1) @@ -44,7 +41,6 @@ interface(`raid_domtrans_mdadm',` interface(`raid_manage_mdadm_pid',` gen_require(` type mdadm_var_run_t; - class file create_file_perms; ') # FIXME: maybe should have a type_transition. not diff --git a/refpolicy/policy/modules/system/selinuxutil.if b/refpolicy/policy/modules/system/selinuxutil.if index a4a2f45..e78929b 100644 --- a/refpolicy/policy/modules/system/selinuxutil.if +++ b/refpolicy/policy/modules/system/selinuxutil.if @@ -11,9 +11,6 @@ interface(`seutil_domtrans_checkpol',` gen_require(` type checkpolicy_t, checkpolicy_exec_t; - class process sigchld; - class fd use; - class fifo_file rw_file_perms; ') files_search_usr($1) @@ -45,7 +42,6 @@ interface(`seutil_domtrans_checkpol',` interface(`seutil_run_checkpol',` gen_require(` type checkpolicy_t; - class chr_file rw_term_perms; ') seutil_domtrans_checkpol($1) @@ -78,9 +74,6 @@ interface(`seutil_exec_checkpol',` interface(`seutil_domtrans_loadpol',` gen_require(` type load_policy_t, load_policy_exec_t; - class process sigchld; - class fd use; - class fifo_file rw_file_perms; ') corecmd_search_sbin($1) @@ -112,7 +105,6 @@ interface(`seutil_domtrans_loadpol',` interface(`seutil_run_loadpol',` gen_require(` type load_policy_t; - class chr_file rw_term_perms; ') seutil_domtrans_loadpol($1) @@ -140,7 +132,6 @@ interface(`seutil_exec_loadpol',` interface(`seutil_read_loadpol',` gen_require(` type load_policy_exec_t; - class file r_file_perms; ') corecmd_search_sbin($1) @@ -158,9 +149,6 @@ interface(`seutil_read_loadpol',` interface(`seutil_domtrans_newrole',` gen_require(` type newrole_t, newrole_exec_t; - class process sigchld; - class fd use; - class fifo_file rw_file_perms; ') files_search_usr($1) @@ -192,7 +180,6 @@ interface(`seutil_domtrans_newrole',` interface(`seutil_run_newrole',` gen_require(` type newrole_t; - class chr_file rw_term_perms; ') seutil_domtrans_newrole($1) @@ -226,7 +213,6 @@ interface(`seutil_exec_newrole',` interface(`seutil_dontaudit_signal_newrole',` gen_require(` type newrole_t; - class process signal; ') dontaudit $1 newrole_t:process signal; @@ -239,7 +225,6 @@ interface(`seutil_dontaudit_signal_newrole',` interface(`seutil_sigchld_newrole',` gen_require(` type newrole_t; - class process sigchld; ') allow $1 newrole_t:process sigchld; @@ -252,7 +237,6 @@ interface(`seutil_sigchld_newrole',` interface(`seutil_use_newrole_fd',` gen_require(` type newrole_t; - class fd use; ') allow $1 newrole_t:fd use; @@ -269,9 +253,6 @@ interface(`seutil_use_newrole_fd',` interface(`seutil_domtrans_restorecon',` gen_require(` type restorecon_t, restorecon_exec_t; - class process sigchld; - class fd use; - class fifo_file rw_file_perms; ') corecmd_search_sbin($1) @@ -302,7 +283,6 @@ interface(`seutil_domtrans_restorecon',` interface(`seutil_run_restorecon',` gen_require(` type restorecon_t; - class chr_file rw_term_perms; ') seutil_domtrans_restorecon($1) @@ -334,9 +314,6 @@ interface(`seutil_exec_restorecon',` interface(`seutil_domtrans_runinit',` gen_require(` type run_init_t, run_init_exec_t; - class process sigchld; - class fd use; - class fifo_file rw_file_perms; ') files_search_usr($1) @@ -384,7 +361,6 @@ interface(`seutil_run_runinit',` interface(`seutil_use_runinit_fd',` gen_require(` type run_init_t; - class fd use; ') allow $1 run_init_t:fd use; @@ -401,9 +377,6 @@ interface(`seutil_use_runinit_fd',` interface(`seutil_domtrans_setfiles',` gen_require(` type setfiles_t, setfiles_exec_t; - class process sigchld; - class fd use; - class fifo_file rw_file_perms; ') files_search_usr($1) @@ -435,7 +408,6 @@ interface(`seutil_domtrans_setfiles',` interface(`seutil_run_setfiles',` gen_require(` type setfiles_t; - class chr_file rw_term_perms; ') seutil_domtrans_setfiles($1) @@ -469,7 +441,6 @@ interface(`seutil_exec_setfiles',` interface(`seutil_dontaudit_search_config',` gen_require(` type selinux_config_t; - class dir search; ') dontaudit $1 selinux_config_t:dir search; @@ -519,7 +490,6 @@ interface(`seutil_read_config',` interface(`seutil_search_default_contexts',` gen_require(` type selinux_config_t, default_context_t; - class dir search; ') files_search_etc($1) @@ -566,8 +536,6 @@ interface(`seutil_read_file_contexts',` interface(`seutil_read_binary_pol',` gen_require(` type selinux_config_t, policy_config_t; - class dir r_dir_perms; - class file r_file_perms; ') files_search_etc($1) @@ -584,8 +552,6 @@ interface(`seutil_create_binary_pol',` gen_require(` # attribute can_write_binary_policy; type selinux_config_t, policy_config_t; - class dir ra_dir_perms; - class file { getattr create write }; ') files_search_etc($1) @@ -607,7 +573,6 @@ interface(`seutil_relabelto_binary_pol',` gen_require(` attribute can_relabelto_binary_policy; type policy_config_t; - class file relabelto; ') allow $1 policy_config_t:file relabelto; @@ -622,8 +587,6 @@ interface(`seutil_manage_binary_pol',` gen_require(` attribute can_write_binary_policy; type selinux_config_t, policy_config_t; - class dir rw_dir_perms; - class file create_file_perms; ') files_search_etc($1) @@ -640,8 +603,6 @@ interface(`seutil_manage_binary_pol',` interface(`seutil_read_src_pol',` gen_require(` type selinux_config_t, policy_src_t; - class dir r_dir_perms; - class file r_file_perms; ') files_search_etc($1) @@ -657,8 +618,6 @@ interface(`seutil_read_src_pol',` interface(`seutil_manage_src_pol',` gen_require(` type selinux_config_t, policy_src_t; - class dir create_dir_perms; - class file create_file_perms; ') files_search_etc($1) diff --git a/refpolicy/policy/modules/system/unconfined.if b/refpolicy/policy/modules/system/unconfined.if index fdb3987..b330404 100644 --- a/refpolicy/policy/modules/system/unconfined.if +++ b/refpolicy/policy/modules/system/unconfined.if @@ -112,9 +112,6 @@ template(`unconfined_domain_template',` interface(`unconfined_domtrans',` gen_require(` type unconfined_t, unconfined_exec_t; - class process sigchld; - class fd use; - class fifo_file rw_file_perms; ') domain_auto_trans($1,unconfined_exec_t,unconfined_t) @@ -142,7 +139,6 @@ interface(`unconfined_domtrans',` interface(`unconfined_run',` gen_require(` type unconfined_t; - class chr_file rw_term_perms; ') unconfined_domtrans($1) @@ -177,7 +173,6 @@ interface(`unconfined_shell_domtrans',` interface(`unconfined_use_fd',` gen_require(` type unconfined_t; - class fd use; ') allow $1 unconfined_t:fd use; @@ -194,7 +189,6 @@ interface(`unconfined_use_fd',` interface(`unconfined_sigchld',` gen_require(` type unconfined_t; - class process sigchld; ') allow $1 unconfined_t:process sigchld; @@ -259,7 +253,6 @@ interface(`unconfined_dontaudit_read_pipe',` interface(`unconfined_rw_pipe',` gen_require(` type unconfined_t; - class fifo_file rw_file_perms; ') allow $1 unconfined_t:fifo_file rw_file_perms; @@ -287,7 +280,6 @@ interface(`unconfined_rw_pipe',` interface(`unconfined_dontaudit_rw_tcp_socket',` gen_require(` type unconfined_t; - class tcp_socket { read write }; ') dontaudit $1 unconfined_t:tcp_socket { read write };