diff --git a/policy/modules/services/amavis.if b/policy/modules/services/amavis.if index ceb2142..e31d92a 100644 --- a/policy/modules/services/amavis.if +++ b/policy/modules/services/amavis.if @@ -183,7 +183,7 @@ interface(`amavis_setattr_pid_files',` type amavis_var_run_t; ') - allow $1 amavis_var_run_t:file setattr; + allow $1 amavis_var_run_t:file setattr_file_perms; files_search_pids($1) ') diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if index 0ec0fb0..8846b96 100644 --- a/policy/modules/services/apache.if +++ b/policy/modules/services/apache.if @@ -209,7 +209,7 @@ interface(`apache_role',` allow $2 httpd_user_content_t:{ dir file lnk_file } { relabelto relabelfrom }; - allow $2 httpd_user_htaccess_t:file { manage_file_perms relabelto relabelfrom }; + allow $2 httpd_user_htaccess_t:file { manage_file_perms relabel_file_perms }; manage_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) manage_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) @@ -499,7 +499,7 @@ interface(`apache_setattr_cache_dirs',` type httpd_cache_t; ') - allow $1 httpd_cache_t:dir setattr; + allow $1 httpd_cache_t:dir setattr_dir_perms; ') ######################################## @@ -730,7 +730,7 @@ interface(`apache_dontaudit_append_log',` type httpd_log_t; ') - dontaudit $1 httpd_log_t:file { getattr append }; + dontaudit $1 httpd_log_t:file append_file_perms; ') ######################################## diff --git a/policy/modules/services/apm.if b/policy/modules/services/apm.if index 8c1c60c..49e6c74 100644 --- a/policy/modules/services/apm.if +++ b/policy/modules/services/apm.if @@ -52,7 +52,7 @@ interface(`apm_write_pipes',` type apmd_t; ') - allow $1 apmd_t:fifo_file write; + allow $1 apmd_t:fifo_file write_fifo_file_perms; ') ######################################## @@ -89,7 +89,7 @@ interface(`apm_append_log',` ') logging_search_logs($1) - allow $1 apmd_log_t:file append; + allow $1 apmd_log_t:file append_file_perms; ') ######################################## diff --git a/policy/modules/services/automount.if b/policy/modules/services/automount.if index 617eead..a43e006 100644 --- a/policy/modules/services/automount.if +++ b/policy/modules/services/automount.if @@ -123,7 +123,7 @@ interface(`automount_dontaudit_getattr_tmp_dirs',` type automount_tmp_t; ') - dontaudit $1 automount_tmp_t:dir getattr; + dontaudit $1 automount_tmp_t:dir getattr_dir_perms; ') ######################################## diff --git a/policy/modules/services/bind.if b/policy/modules/services/bind.if index b09ef44..7e9d2fb 100644 --- a/policy/modules/services/bind.if +++ b/policy/modules/services/bind.if @@ -186,7 +186,7 @@ interface(`bind_write_config',` ') write_files_pattern($1, named_conf_t, named_conf_t) - allow $1 named_conf_t:file setattr; + allow $1 named_conf_t:file setattr_file_perms; ') ######################################## @@ -266,7 +266,7 @@ interface(`bind_setattr_pid_dirs',` type named_var_run_t; ') - allow $1 named_var_run_t:dir setattr; + allow $1 named_var_run_t:dir setattr_dir_perms; ') ######################################## @@ -284,7 +284,7 @@ interface(`bind_setattr_zone_dirs',` type named_zone_t; ') - allow $1 named_zone_t:dir setattr; + allow $1 named_zone_t:dir setattr_dir_perms; ') ######################################## diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if index a01ce9f..fa57a6f 100644 --- a/policy/modules/services/bluetooth.if +++ b/policy/modules/services/bluetooth.if @@ -92,7 +92,7 @@ interface(`bluetooth_read_config',` type bluetooth_conf_t; ') - allow $1 bluetooth_conf_t:file { getattr read ioctl }; + allow $1 bluetooth_conf_t:file read_file_perms; ') ######################################## @@ -192,8 +192,8 @@ interface(`bluetooth_dontaudit_read_helper_state',` type bluetooth_helper_t; ') - dontaudit $1 bluetooth_helper_t:dir search; - dontaudit $1 bluetooth_helper_t:file { read getattr }; + dontaudit $1 bluetooth_helper_t:dir search_dir_perms; + dontaudit $1 bluetooth_helper_t:file read_file_perms; ') ######################################## diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if index ffd5436..b6402c9 100644 --- a/policy/modules/services/cron.if +++ b/policy/modules/services/cron.if @@ -52,7 +52,7 @@ template(`cron_common_crontab_template',` files_list_spool($1_t) # crontab signals crond by updating the mtime on the spooldir - allow $1_t cron_spool_t:dir setattr; + allow $1_t cron_spool_t:dir setattr_dir_perms; kernel_read_system_state($1_t) diff --git a/policy/modules/services/dhcp.if b/policy/modules/services/dhcp.if index aa4da1d..7e129ff 100644 --- a/policy/modules/services/dhcp.if +++ b/policy/modules/services/dhcp.if @@ -36,7 +36,7 @@ interface(`dhcpd_setattr_state_files',` ') sysnet_search_dhcp_state($1) - allow $1 dhcpd_state_t:file setattr; + allow $1 dhcpd_state_t:file setattr_file_perms; ') ########################################