diff --git a/policy/modules/services/gpm.if b/policy/modules/services/gpm.if index 9a21080..d6b2959 100644 --- a/policy/modules/services/gpm.if +++ b/policy/modules/services/gpm.if @@ -37,7 +37,7 @@ interface(`gpm_getattr_gpmctl',` ') dev_list_all_dev_nodes($1) - allow $1 gpmctl_t:sock_file getattr; + allow $1 gpmctl_t:sock_file getattr_sock_file_perms; ') ######################################## @@ -57,7 +57,7 @@ interface(`gpm_dontaudit_getattr_gpmctl',` type gpmctl_t; ') - dontaudit $1 gpmctl_t:sock_file getattr; + dontaudit $1 gpmctl_t:sock_file getattr_sock_file_perms; ') ######################################## @@ -77,5 +77,5 @@ interface(`gpm_setattr_gpmctl',` ') dev_list_all_dev_nodes($1) - allow $1 gpmctl_t:sock_file setattr; + allow $1 gpmctl_t:sock_file setattr_sock_file_perms; ') diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if index 541cc80..f7d4b6d 100644 --- a/policy/modules/services/kerberos.if +++ b/policy/modules/services/kerberos.if @@ -103,7 +103,7 @@ interface(`kerberos_use',` corenet_sendrecv_kerberos_client_packets($1) corenet_sendrecv_ocsp_client_packets($1) - allow $1 krb5_host_rcache_t:file getattr; + allow $1 krb5_host_rcache_t:file getattr_file_perms; ') optional_policy(` diff --git a/policy/modules/services/likewise.if b/policy/modules/services/likewise.if index 771e04b..81d98b3 100644 --- a/policy/modules/services/likewise.if +++ b/policy/modules/services/likewise.if @@ -63,7 +63,7 @@ template(`likewise_domain_template',` allow $1_t self:tcp_socket create_stream_socket_perms; allow $1_t self:udp_socket create_socket_perms; - allow $1_t likewise_var_lib_t:dir setattr; + allow $1_t likewise_var_lib_t:dir setattr_dir_perms; manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t) files_pid_filetrans($1_t, $1_var_run_t, file) diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if index 8e607ad..4d1401d 100644 --- a/policy/modules/services/mta.if +++ b/policy/modules/services/mta.if @@ -168,7 +168,7 @@ interface(`mta_role',` # Transition from the user domain to the derived domain. domtrans_pattern($2, sendmail_exec_t, user_mail_t) - allow $2 sendmail_exec_t:lnk_file { getattr read }; + allow $2 sendmail_exec_t:lnk_file read_lnk_file_perms; allow mta_user_agent $2:fd use; allow mta_user_agent $2:process sigchld; @@ -512,7 +512,7 @@ interface(`mta_write_config',` ') manage_files_pattern($1, etc_mail_t, etc_mail_t) - allow $1 etc_mail_t:file setattr; + allow $1 etc_mail_t:file setattr_file_perms; ') ######################################## @@ -590,7 +590,7 @@ interface(`mta_rw_aliases',` ') files_search_etc($1) - allow $1 etc_aliases_t:file { rw_file_perms setattr }; + allow $1 etc_aliases_t:file { rw_file_perms setattr_file_perms }; ') ####################################### @@ -684,8 +684,8 @@ interface(`mta_dontaudit_getattr_spool_files',` files_dontaudit_search_spool($1) dontaudit $1 mail_spool_t:dir search_dir_perms; - dontaudit $1 mail_spool_t:lnk_file read; - dontaudit $1 mail_spool_t:file getattr; + dontaudit $1 mail_spool_t:lnk_file read_lnk_file_perms; + dontaudit $1 mail_spool_t:file getattr_file_perms; ') ####################################### @@ -735,7 +735,7 @@ interface(`mta_rw_spool',` files_search_spool($1) allow $1 mail_spool_t:dir list_dir_perms; - allow $1 mail_spool_t:file setattr; + allow $1 mail_spool_t:file setattr_file_perms; manage_files_pattern($1, mail_spool_t, mail_spool_t) read_lnk_files_pattern($1, mail_spool_t, mail_spool_t) ') @@ -876,7 +876,7 @@ interface(`mta_dontaudit_rw_queue',` ') dontaudit $1 mqueue_spool_t:dir search_dir_perms; - dontaudit $1 mqueue_spool_t:file { getattr read write }; + dontaudit $1 mqueue_spool_t:file rw_file_perms; ') ######################################## diff --git a/policy/modules/services/munin.if b/policy/modules/services/munin.if index 297e392..4d06f74 100644 --- a/policy/modules/services/munin.if +++ b/policy/modules/services/munin.if @@ -78,7 +78,7 @@ interface(`munin_read_config',` allow $1 munin_etc_t:dir list_dir_perms; allow $1 munin_etc_t:file read_file_perms; - allow $1 munin_etc_t:lnk_file { getattr read }; + allow $1 munin_etc_t:lnk_file read_lnk_file_perms; files_search_etc($1) ') diff --git a/policy/modules/services/mysql.if b/policy/modules/services/mysql.if index 8cabfd2..6df118b 100644 --- a/policy/modules/services/mysql.if +++ b/policy/modules/services/mysql.if @@ -253,7 +253,7 @@ interface(`mysql_write_log',` ') logging_search_logs($1) - allow $1 mysqld_log_t:file { write_file_perms setattr }; + allow $1 mysqld_log_t:file { write_file_perms setattr_file_perms }; ') ###################################### diff --git a/policy/modules/services/nis.if b/policy/modules/services/nis.if index 9b51af1..d060ea7 100644 --- a/policy/modules/services/nis.if +++ b/policy/modules/services/nis.if @@ -34,7 +34,7 @@ interface(`nis_use_ypbind_uncond',` allow $1 self:udp_socket create_socket_perms; allow $1 var_yp_t:dir list_dir_perms; - allow $1 var_yp_t:lnk_file { getattr read }; + allow $1 var_yp_t:lnk_file read_lnk_file_perms; allow $1 var_yp_t:file read_file_perms; corenet_all_recvfrom_unlabeled($1) diff --git a/policy/modules/services/nscd.if b/policy/modules/services/nscd.if index f1ee95b..cb66404 100644 --- a/policy/modules/services/nscd.if +++ b/policy/modules/services/nscd.if @@ -116,7 +116,7 @@ interface(`nscd_socket_use',` dontaudit $1 nscd_t:nscd { getserv shmempwd shmemgrp shmemhost shmemserv }; files_search_pids($1) stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t) - dontaudit $1 nscd_var_run_t:file { getattr read }; + dontaudit $1 nscd_var_run_t:file read_file_perms; ') ######################################## @@ -171,7 +171,7 @@ interface(`nscd_shm_use',` stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t) files_search_pids($1) allow $1 nscd_t:nscd { getpwd getgrp gethost }; - dontaudit $1 nscd_var_run_t:file { getattr read }; + dontaudit $1 nscd_var_run_t:file read_file_perms; ') ########################################