diff --git a/refpolicy/policy/modules/admin/consoletype.if b/refpolicy/policy/modules/admin/consoletype.if
index daee8c0..afb9df7 100644
--- a/refpolicy/policy/modules/admin/consoletype.if
+++ b/refpolicy/policy/modules/admin/consoletype.if
@@ -4,8 +4,14 @@
# consoletype_domtrans(domain)
#
define(`consoletype_domtrans',`
- gen_require(`$0'_depend)
-
+ gen_require(`
+ type consoletype_t, consoletype_exec_t;
+ class process sigchld;
+ class fd use;
+ class fifo_file rw_file_perms;
+ ')
+
+ corecmd_search_sbin($1)
domain_auto_trans($1,consoletype_exec_t,consoletype_t)
allow $1 consoletype_t:fd use;
@@ -14,28 +20,15 @@ define(`consoletype_domtrans',`
allow consoletype_t $1:process sigchld;
')
-define(`consoletype_domtrans_depend',`
- type consoletype_t, consoletype_exec_t;
-
- class file rx_file_perms;
- class process { transition noatsecure siginh rlimitinh sigchld };
- class fd use;
- class fifo_file rw_file_perms;
-')
-
#######################################
#
# consoletype_exec(domain)
#
define(`consoletype_exec',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type consoletype_exec_t;
+ ')
+ corecmd_search_sbin($1)
can_exec($1,consoletype_exec_t)
-
-')
-
-define(`consoletype_exec_depend',`
- type consoletype_exec_t;
-
- class file { getattr read execute execute_no_trans };
')
diff --git a/refpolicy/policy/modules/admin/dmesg.if b/refpolicy/policy/modules/admin/dmesg.if
index b43e318..0c6f5b7 100644
--- a/refpolicy/policy/modules/admin/dmesg.if
+++ b/refpolicy/policy/modules/admin/dmesg.if
@@ -12,12 +12,15 @@
##
#
define(`dmesg_domtrans',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type dmesg_t, dmesg_exec_t;
+ class process sigchld;
+ class fd use;
+ class fifo_file rw_file_perms;
+ ')
- allow $1 dmesg_exec_t:file rx_file_perms;
- allow $1 dmesg_t:process transition;
- type_transition $1 dmesg_exec_t:process dmesg_t;
- dontaudit $1 dmesg_t:process { noatsecure siginh rlimitinh };
+ corecmd_search_sbin($1)
+ domain_auto_trans($1,dmesg_exec_t,dmesg_t)
allow $1 dmesg_t:fd use;
allow dmesg_t $1:fd use;
@@ -25,15 +28,6 @@ define(`dmesg_domtrans',`
allow dmesg_t $1:process sigchld;
')
-define(`dmesg_domtrans_depend',`
- type dmesg_t, dmesg_exec_t;
-
- class file rx_file_perms;
- class process { transition noatsecure siginh rlimitinh sigchld };
- class fd use;
- class fifo_file rw_file_perms;
-')
-
########################################
##
##
@@ -45,16 +39,12 @@ define(`dmesg_domtrans_depend',`
##
#
define(`dmesg_exec',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type dmesg_exec_t;
+ ')
+ corecmd_search_sbin($1)
can_exec($1,dmesg_exec_t)
-
-')
-
-define(`dmesg_exec_depend',`
- type dmesg_exec_t;
-
- class file { getattr read execute execute_no_trans };
')
##
diff --git a/refpolicy/policy/modules/admin/netutils.if b/refpolicy/policy/modules/admin/netutils.if
index 8ad4c0a..dd833fa 100644
--- a/refpolicy/policy/modules/admin/netutils.if
+++ b/refpolicy/policy/modules/admin/netutils.if
@@ -4,12 +4,14 @@
# netutils_domtrans(domain)
#
define(`netutils_domtrans',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type netutils_t, netutils_exec_t;
+ class process sigchld;
+ class fd use;
+ class fifo_file rw_file_perms;
+ ')
- allow $1 netutils_exec_t:file rx_file_perms;
- allow $1 netutils_t:process transition;
- type_transition $1 netutils_exec_t:process netutils_t;
- dontaudit $1 netutils_t:process { noatsecure siginh rlimitinh };
+ domain_auto_trans($1,netutils_exec_t,netutils_t)
allow $1 netutils_t:fd use;
allow netutils_t $1:fd use;
@@ -17,28 +19,14 @@ define(`netutils_domtrans',`
allow netutils_t $1:process sigchld;
')
-define(`netutils_domtrans_depend',`
- type netutils_t, netutils_exec_t;
-
- class file rx_file_perms;
- class process { transition noatsecure siginh rlimitinh sigchld };
- class fd use;
- class fifo_file rw_file_perms;
-')
-
#######################################
#
# netutils_exec(domain)
#
define(`netutils_exec',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type netutils_exec_t;
+ ')
can_exec($1,netutils_exec_t)
-
-')
-
-define(`netutils_exec_depend',`
- type netutils_exec_t;
-
- class file { getattr read execute execute_no_trans };
')
diff --git a/refpolicy/policy/modules/admin/rpm.if b/refpolicy/policy/modules/admin/rpm.if
index 9469e07..c4c3bde 100644
--- a/refpolicy/policy/modules/admin/rpm.if
+++ b/refpolicy/policy/modules/admin/rpm.if
@@ -12,12 +12,16 @@
##
#
define(`rpm_domtrans',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type rpm_t, rpm_exec_t;
+ class process sigchld;
+ class fd use;
+ class fifo_file rw_file_perms;
+ ')
- allow $1 rpm_exec_t:file rx_file_perms;
- allow $1 rpm_t:process transition;
- type_transition $1 rpm_exec_t:process rpm_t;
- dontaudit $1 rpm_t:process { noatsecure siginh rlimitinh };
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ domain_auto_trans($1,rpm_exec_t,rpm_t)
allow $1 rpm_t:fd use;
allow rpm_t $1:fd use;
@@ -25,15 +29,6 @@ define(`rpm_domtrans',`
allow rpm_t $1:process sigchld;
')
-define(`rpm_domtrans_depend',`
- type rpm_t, rpm_exec_t;
-
- class file rx_file_perms;
- class process { transition noatsecure siginh rlimitinh sigchld };
- class fd use;
- class fifo_file rw_file_perms;
-')
-
########################################
##
##
@@ -51,18 +46,15 @@ define(`rpm_domtrans_depend',`
##
#
define(`rpm_run',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type rpm_t, rpm_script_t;
+ class chr_file rw_term_perms;
+ ')
rpm_domtrans($1)
role $2 types rpm_t;
role $2 types rpm_script_t;
- allow rpm_t $3:chr_file { getattr read write ioctl };
-')
-
-define(`rpm_run_depend',`
- type rpm_t, rpm_script_t;
-
- class chr_file { getattr read write ioctl };
+ allow rpm_t $3:chr_file rw_term_perms;
')
########################################
@@ -76,17 +68,14 @@ define(`rpm_run_depend',`
##
#
define(`rpm_use_fd',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type rpm_t;
+ class fd use;
+ ')
allow $1 rpm_t:fd use;
')
-define(`rpm_use_fd_depend',`
- type rpm_t;
-
- class fd use;
-')
-
########################################
##
##
@@ -98,17 +87,14 @@ define(`rpm_use_fd_depend',`
##
#
define(`rpm_read_pipe',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type rpm_t;
+ class fifo_file r_file_perms;
+ ')
allow $1 rpm_t:fifo_file r_file_perms;
')
-define(`rpm_read_pipe_depend',`
- type rpm_t;
-
- class fifo_file r_file_perms;
-')
-
########################################
##
##
@@ -120,39 +106,33 @@ define(`rpm_read_pipe_depend',`
##
#
define(`rpm_read_db',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type rpm_var_lib_t_t;
+ class dir r_dir_perms;
+ class lnk_file r_file_perms;
+ class file r_file_perms;
+ ')
allow $1 rpm_var_lib_t:dir r_dir_perms;
allow $1 rpm_var_lib_t:file r_file_perms;
allow $1 rpm_var_lib_t:lnk_file r_file_perms;
')
-define(`rpm_read_db_depend',`
- type rpm_var_lib_t_t;
-
- class dir r_dir_perms;
- class lnk_file r_file_perms;
- class file r_file_perms;
-')
-
########################################
#
# rpm_manage_db(domain)
#
define(`rpm_manage_db',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type rpm_var_lib_t_t;
+ class dir rw_dir_perms;
+ class lnk_file { getattr read write unlink };
+ class file { getattr create read write append unlink };
+ ')
allow $1 rpm_var_lib_t:dir rw_dir_perms;
allow $1 rpm_var_lib_t:file { getattr create read write append unlink };
allow $1 rpm_var_lib_t:lnk_file { getattr read write unlink };
')
-define(`rpm_manage_db_depend',`
- type rpm_var_lib_t_t;
-
- class dir rw_dir_perms;
- class lnk_file { getattr read write unlink };
- class file { getattr create read write append unlink };
-')
-
##
diff --git a/refpolicy/policy/modules/admin/usermanage.if b/refpolicy/policy/modules/admin/usermanage.if
index eb3a539..194411f 100644
--- a/refpolicy/policy/modules/admin/usermanage.if
+++ b/refpolicy/policy/modules/admin/usermanage.if
@@ -12,12 +12,16 @@
##
#
define(`usermanage_domtrans_chfn',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type chfn_t, chfn_exec_t;
+ class process sigchld;
+ class fd use;
+ class fifo_file rw_file_perms;
+ ')
- allow $1 chfn_exec_t:file rx_file_perms;
- allow $1 chfn_t:process transition;
- type_transition $1 chfn_exec_t:process chfn_t;
- dontaudit $1 chfn_t:process { noatsecure siginh rlimitinh };
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ domain_auto_trans($1,chfn_exec_t,chfn_t)
allow $1 chfn_t:fd use;
allow chfn_t $1:fd use;
@@ -25,15 +29,6 @@ define(`usermanage_domtrans_chfn',`
allow chfn_t $1:process sigchld;
')
-define(`usermanage_domtrans_chfn_depend',`
- type chfn_t, chfn_exec_t;
-
- class file rx_file_perms;
- class process { transition noatsecure siginh rlimitinh sigchld };
- class fd use;
- class fifo_file rw_file_perms;
-')
-
########################################
##
##
@@ -52,17 +47,14 @@ define(`usermanage_domtrans_chfn_depend',`
##
#
define(`usermanage_run_chfn',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type chfn_t;
+ class chr_file rw_term_perms;
+ ')
usermanage_domtrans_chfn($1)
role $2 types chfn_t;
- allow chfn_t $3:chr_file { getattr read write ioctl };
-')
-
-define(`usermanage_run_chfn_depend',`
- type chfn_t;
-
- class chr_file { getattr read write ioctl };
+ allow chfn_t $3:chr_file rw_term_perms;
')
########################################
@@ -76,8 +68,15 @@ define(`usermanage_run_chfn_depend',`
##
#
define(`usermanage_domtrans_groupadd',`
- gen_require(`$0'_depend)
-
+ gen_require(`
+ type groupadd_t, groupadd_exec_t;
+ class process sigchld;
+ class fd use;
+ class fifo_file rw_file_perms;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_sbin($1)
domain_auto_trans($1,groupadd_exec_t,groupadd_t)
allow $1 groupadd_t:fd use;
@@ -86,15 +85,6 @@ define(`usermanage_domtrans_groupadd',`
allow groupadd_t $1:process sigchld;
')
-define(`usermanage_domtrans_groupadd_depend',`
- type groupadd_t, groupadd_exec_t;
-
- class file rx_file_perms;
- class process { transition noatsecure siginh rlimitinh sigchld };
- class fd use;
- class fifo_file rw_file_perms;
-')
-
########################################
##
##
@@ -113,17 +103,14 @@ define(`usermanage_domtrans_groupadd_depend',`
##
#
define(`usermanage_run_groupadd',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type groupadd_t;
+ class chr_file rw_term_perms;
+ ')
usermanage_domtrans_groupadd($1)
role $2 types groupadd_t;
- allow groupadd_t $3:chr_file { getattr read write ioctl };
-')
-
-define(`usermanage_run_groupadd_depend',`
- type groupadd_t;
-
- class chr_file { getattr read write ioctl };
+ allow groupadd_t $3:chr_file rw_term_perms;
')
########################################
@@ -137,12 +124,16 @@ define(`usermanage_run_groupadd_depend',`
##
#
define(`usermanage_domtrans_passwd',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type passwd_t, passwd_exec_t;
+ class process sigchld;
+ class fd use;
+ class fifo_file rw_file_perms;
+ ')
- allow $1 passwd_exec_t:file rx_file_perms;
- allow $1 passwd_t:process transition;
- type_transition $1 passwd_exec_t:process passwd_t;
- dontaudit $1 passwd_t:process { noatsecure siginh rlimitinh };
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ domain_auto_trans($1,passwd_exec_t,passwd_t)
allow $1 passwd_t:fd use;
allow passwd_t $1:fd use;
@@ -150,15 +141,6 @@ define(`usermanage_domtrans_passwd',`
allow passwd_t $1:process sigchld;
')
-define(`usermanage_domtrans_passwd_depend',`
- type passwd_t, passwd_exec_t;
-
- class file rx_file_perms;
- class process { transition noatsecure siginh rlimitinh sigchld };
- class fd use;
- class fifo_file rw_file_perms;
-')
-
########################################
##
##
@@ -177,17 +159,14 @@ define(`usermanage_domtrans_passwd_depend',`
##
#
define(`usermanage_run_passwd',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type passwd_t;
+ class chr_file rw_term_perms;
+ ')
usermanage_domtrans_passwd($1)
role $2 types passwd_t;
- allow passwd_t $3:chr_file { getattr read write ioctl };
-')
-
-define(`usermanage_run_passwd_depend',`
- type passwd_t;
-
- class chr_file { getattr read write ioctl };
+ allow passwd_t $3:chr_file rw_term_perms;
')
########################################
@@ -201,12 +180,16 @@ define(`usermanage_run_passwd_depend',`
##
#
define(`usermanage_domtrans_useradd',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type useradd_t, useradd_exec_t;
+ class process sigchld;
+ class fd use;
+ class fifo_file rw_file_perms;
+ ')
- allow $1 useradd_exec_t:file rx_file_perms;
- allow $1 useradd_t:process transition;
- type_transition $1 useradd_exec_t:process useradd_t;
- dontaudit $1 useradd_t:process { noatsecure siginh rlimitinh };
+ files_search_usr($1)
+ corecmd_search_sbin($1)
+ domain_auto_trans($1,useradd_exec_t,useradd_t)
allow $1 useradd_t:fd use;
allow useradd_t $1:fd use;
@@ -214,15 +197,6 @@ define(`usermanage_domtrans_useradd',`
allow useradd_t $1:process sigchld;
')
-define(`usermanage_domtrans_useradd_depend',`
- type useradd_t, useradd_exec_t;
-
- class file rx_file_perms;
- class process { transition noatsecure siginh rlimitinh sigchld };
- class fd use;
- class fifo_file rw_file_perms;
-')
-
########################################
##
##
@@ -241,17 +215,14 @@ define(`usermanage_domtrans_useradd_depend',`
##
#
define(`usermanage_run_useradd',`
- gen_require(`$0'_depend)
+ gen_require(`
+ type useradd_t;
+ class chr_file rw_term_perms;
+ ')
usermanage_domtrans_useradd($1)
role $2 types useradd_t;
- allow useradd_t $3:chr_file { getattr read write ioctl };
-')
-
-define(`usermanage_run_useradd_depend',`
- type useradd_t;
-
- class chr_file { getattr read write ioctl };
+ allow useradd_t $3:chr_file rw_term_perms;
')
##