diff options
| author |   bauen1 <j2468h@gmail.com> | 2020-08-14 16:33:08 +0200 |
|---|---|---|
| committer |   Jason Zaman <perfinion@gentoo.org> | 2020-10-11 14:00:05 -0700 |
| commit | ea5cbbdf7543ad954aa9ebf92ac620e5b6d6a9eb (patch) | |
| tree | 8cfdfac6d535280a97059de6037261158d3007ee /policy/modules | |
| parent | Looks like this got dropped in pull request #294 (diff) | |
| download | hardened-refpolicy-ea5cbbdf7543ad954aa9ebf92ac620e5b6d6a9eb.tar.gz hardened-refpolicy-ea5cbbdf7543ad954aa9ebf92ac620e5b6d6a9eb.tar.bz2 hardened-refpolicy-ea5cbbdf7543ad954aa9ebf92ac620e5b6d6a9eb.zip | |
selint: fix S-010
Signed-off-by: bauen1 <j2468h@gmail.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
Diffstat (limited to 'policy/modules')
41 files changed, 105 insertions, 105 deletions
diff --git a/policy/modules/admin/firstboot.if b/policy/modules/admin/firstboot.if index e575eafa5..f0dc79086 100644 --- a/policy/modules/admin/firstboot.if +++ b/policy/modules/admin/firstboot.if @@ -115,7 +115,7 @@ interface(`firstboot_rw_pipes',` type firstboot_t; ') - allow $1 firstboot_t:fifo_file { read write }; + allow $1 firstboot_t:fifo_file rw_inherited_fifo_file_perms; ') ######################################## diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te index 4a48e2341..b6d01ea36 100644 --- a/policy/modules/admin/portage.te +++ b/policy/modules/admin/portage.te @@ -525,7 +525,7 @@ gen_tunable(portage_enable_test, false) # Portage eselect module domain # - allow portage_eselect_domain self:fifo_file { read write }; + allow portage_eselect_domain self:fifo_file rw_inherited_fifo_file_perms; corecmd_exec_shell(portage_eselect_domain) diff --git a/policy/modules/apps/evolution.te b/policy/modules/apps/evolution.te index 2ee23cdf8..893083355 100644 --- a/policy/modules/apps/evolution.te +++ b/policy/modules/apps/evolution.te @@ -416,7 +416,7 @@ optional_policy(` allow evolution_server_t self:process { getsched signal }; -allow evolution_server_t self:fifo_file { read write }; +allow evolution_server_t self:fifo_file rw_inherited_fifo_file_perms; allow evolution_server_t self:unix_stream_socket { accept connectto listen }; allow evolution_server_t evolution_home_t:dir manage_dir_perms; diff --git a/policy/modules/apps/gpg.if b/policy/modules/apps/gpg.if index 78efb1866..884f19fde 100644 --- a/policy/modules/apps/gpg.if +++ b/policy/modules/apps/gpg.if @@ -37,7 +37,7 @@ interface(`gpg_role',` allow gpg_pinentry_t $2:process signull; allow gpg_helper_t $2:fd use; - allow { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t } $2:fifo_file { read write }; + allow { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t } $2:fifo_file rw_inherited_fifo_file_perms; allow $2 { gpg_agent_tmp_t gpg_secret_t }:dir { manage_dir_perms relabel_dir_perms }; allow $2 { gpg_agent_tmp_t gpg_secret_t }:file { manage_file_perms relabel_file_perms }; diff --git a/policy/modules/contrib/dirsrv.te b/policy/modules/contrib/dirsrv.te index 7e67c47ed..36e2203bb 100644 --- a/policy/modules/contrib/dirsrv.te +++ b/policy/modules/contrib/dirsrv.te @@ -72,7 +72,7 @@ miscfiles_read_localization(dirsrv_t) dev_read_urand(dirsrv_t) libs_use_ld_so(dirsrv_t) libs_use_shared_libs(dirsrv_t) -allow dirsrv_t self:fifo_file { read write }; +allow dirsrv_t self:fifo_file rw_inherited_fifo_file_perms; # process stuff allow dirsrv_t self:process { getsched setsched setfscreate signal_perms}; @@ -160,7 +160,7 @@ dev_read_urand(dirsrv_snmp_t) files_read_usr_files(dirsrv_snmp_t) fs_getattr_tmpfs(dirsrv_snmp_t) fs_search_tmpfs(dirsrv_snmp_t) -allow dirsrv_snmp_t self:fifo_file { read write }; +allow dirsrv_snmp_t self:fifo_file rw_inherited_fifo_file_perms; sysnet_read_config(dirsrv_snmp_t) sysnet_dns_name_resolve(dirsrv_snmp_t) diff --git a/policy/modules/contrib/logsentry.te b/policy/modules/contrib/logsentry.te index 302e93abd..d80cdc8b6 100644 --- a/policy/modules/contrib/logsentry.te +++ b/policy/modules/contrib/logsentry.te @@ -24,7 +24,7 @@ files_type(logsentry_filter_t) # Local Policy # -allow logsentry_t self:fifo_file { read write getattr ioctl }; +allow logsentry_t self:fifo_file rw_inherited_fifo_file_perms; allow logsentry_t self:capability { setuid setgid }; allow logsentry_t logsentry_exec_t:file execute_no_trans; diff --git a/policy/modules/contrib/nginx.te b/policy/modules/contrib/nginx.te index 30bbcb492..57e8ceb90 100644 --- a/policy/modules/contrib/nginx.te +++ b/policy/modules/contrib/nginx.te @@ -77,7 +77,7 @@ files_runtime_file(nginx_runtime_t) # nginx local policy # -allow nginx_t self:fifo_file { read write }; +allow nginx_t self:fifo_file rw_inherited_fifo_file_perms; allow nginx_t self:unix_stream_socket create_stream_socket_perms; allow nginx_t self:tcp_socket { listen accept }; allow nginx_t self:capability { setuid net_bind_service setgid chown }; diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te index 974bd9e92..da40aa068 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -385,6 +385,6 @@ files_associate_tmp(device_node) # allow devices_unconfined_type self:capability sys_rawio; -allow devices_unconfined_type device_node:blk_file { manage_blk_file_perms relabelfrom relabelto map execute quotaon mounton audit_access execmod watch }; -allow devices_unconfined_type device_node:chr_file { manage_chr_file_perms relabelfrom relabelto map execute quotaon mounton execmod audit_access watch }; -allow devices_unconfined_type mtrr_device_t:file { manage_file_perms relabelfrom relabelto map execute quotaon mounton execute_no_trans entrypoint execmod audit_access watch }; +allow devices_unconfined_type device_node:blk_file { manage_blk_file_perms relabel_blk_file_perms map execute quotaon mounton audit_access execmod watch }; +allow devices_unconfined_type device_node:chr_file { manage_chr_file_perms relabel_chr_file_perms map execute quotaon mounton execmod audit_access watch }; +allow devices_unconfined_type mtrr_device_t:file { manage_file_perms relabel_file_perms exec_file_perms quotaon mounton entrypoint execmod audit_access watch }; diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index 62939ef4f..b493a4a18 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -5552,7 +5552,7 @@ interface(`files_relabel_var_dirs',` type var_t; ') - allow $1 var_t:dir { relabelfrom relabelto }; + allow $1 var_t:dir relabel_dir_perms; ') ######################################## @@ -5857,7 +5857,7 @@ interface(`files_relabel_var_lib_dirs',` ') allow $1 var_t:dir search_dir_perms; - allow $1 var_lib_t:dir { relabelfrom relabelto }; + allow $1 var_lib_t:dir relabel_dir_perms; ') ######################################## @@ -7748,7 +7748,7 @@ interface(`files_polyinstantiate_all',` allow $1 self:capability { chown fowner fsetid sys_admin }; # Need to give access to the directories to be polyinstantiated - allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir }; + allow $1 polydir:dir { add_entry_dir_perms create setattr mounton rmdir }; # Need to give access to the polyinstantiated subdirectories allow $1 polymember:dir search_dir_perms; @@ -7761,7 +7761,7 @@ interface(`files_polyinstantiate_all',` allow $1 self:process setfscreate; allow $1 polymember: dir { create setattr relabelto }; allow $1 polydir: dir { write add_name open }; - allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto }; + allow $1 polyparent:dir { rw_dir_perms relabel_dir_perms }; # Default type for mountpoints allow $1 poly_t:dir { create mounton }; diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te index a60cc19ea..eb4867134 100644 --- a/policy/modules/kernel/files.te +++ b/policy/modules/kernel/files.te @@ -227,13 +227,13 @@ fs_associate_tmpfs(tmpfsfile) # # Create/access any file in a labeled filesystem; -allow files_unconfined_type file_type:file { manage_file_perms relabelfrom relabelto map execute quotaon mounton execute_no_trans audit_access watch }; -allow files_unconfined_type file_type:lnk_file { manage_lnk_file_perms relabelfrom relabelto append map execute quotaon mounton open audit_access execmod watch }; -allow files_unconfined_type file_type:sock_file { manage_sock_file_perms relabelfrom relabelto map execute quotaon mounton audit_access execmod watch }; -allow files_unconfined_type file_type:fifo_file { manage_fifo_file_perms relabelfrom relabelto map execute quotaon mounton audit_access execmod watch }; -allow files_unconfined_type file_type:blk_file { manage_blk_file_perms relabelfrom relabelto map execute quotaon mounton audit_access execmod watch }; -allow files_unconfined_type file_type:chr_file { manage_chr_file_perms relabelfrom relabelto map execute quotaon mounton audit_access watch }; -allow files_unconfined_type file_type:dir { manage_dir_perms relabelfrom relabelto append map execute quotaon mounton add_name remove_name reparent search rmdir audit_access execmod watch }; +allow files_unconfined_type file_type:file { manage_file_perms relabel_file_perms exec_file_perms quotaon mounton audit_access watch }; +allow files_unconfined_type file_type:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms append map execute quotaon mounton open audit_access execmod watch }; +allow files_unconfined_type file_type:sock_file { manage_sock_file_perms relabel_sock_file_perms map execute quotaon mounton audit_access execmod watch }; +allow files_unconfined_type file_type:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms map execute quotaon mounton audit_access execmod watch }; +allow files_unconfined_type file_type:blk_file { manage_blk_file_perms relabel_blk_file_perms map execute quotaon mounton audit_access execmod watch }; +allow files_unconfined_type file_type:chr_file { manage_chr_file_perms relabel_chr_file_perms map execute quotaon mounton audit_access watch }; +allow files_unconfined_type file_type:dir { manage_dir_perms relabel_dir_perms append map execute quotaon mounton add_name remove_name reparent search rmdir audit_access execmod watch }; # Mount/unmount any filesystem with the context= option. allow files_unconfined_type file_type:filesystem { mount remount unmount getattr relabelfrom relabelto associate quotamod quotaget watch }; diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index 0fb322ffc..79e87e0ff 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -4908,7 +4908,7 @@ interface(`fs_relabelfrom_tmpfs_symlinks',` type tmpfs_t; ') - allow $1 tmpfs_t:lnk_file { getattr relabelfrom }; + allow $1 tmpfs_t:lnk_file relabelfrom_lnk_file_perms; ') ######################################## diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te index d6711d610..42d66b055 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -332,13 +332,13 @@ allow filesystem_unconfined_type filesystem_type:filesystem { mount remount unmo # Create/access other files. fs_type is to pick up various # pseudo filesystem types that are applied to both the filesystem # and its files. -allow filesystem_unconfined_type filesystem_type:file { manage_file_perms relabelfrom relabelto map execute quotaon mounton execute_no_trans entrypoint audit_access execmod watch }; -allow filesystem_unconfined_type filesystem_type:lnk_file { manage_lnk_file_perms relabelfrom relabelto append map execute quotaon mounton open audit_access execmod watch }; -allow filesystem_unconfined_type filesystem_type:sock_file { manage_sock_file_perms relabelfrom relabelto map execute quotaon mounton audit_access execmod watch }; -allow filesystem_unconfined_type filesystem_type:fifo_file { manage_fifo_file_perms relabelfrom relabelto map execute quotaon mounton audit_access execmod watch }; -allow filesystem_unconfined_type filesystem_type:blk_file { manage_blk_file_perms relabelfrom relabelto map execute quotaon mounton audit_access execmod watch }; -allow filesystem_unconfined_type filesystem_type:chr_file { manage_chr_file_perms relabelfrom relabelto map execute quotaon mounton audit_access execmod watch }; -allow filesystem_unconfined_type filesystem_type:dir { manage_dir_perms relabelfrom relabelto append map execute quotaon mounton add_name remove_name reparent search rmdir audit_access execmod watch }; +allow filesystem_unconfined_type filesystem_type:file { manage_file_perms relabel_file_perms exec_file_perms quotaon mounton entrypoint audit_access execmod watch }; +allow filesystem_unconfined_type filesystem_type:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms append map execute quotaon mounton open audit_access execmod watch }; +allow filesystem_unconfined_type filesystem_type:sock_file { manage_sock_file_perms relabel_sock_file_perms map execute quotaon mounton audit_access execmod watch }; +allow filesystem_unconfined_type filesystem_type:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms map execute quotaon mounton audit_access execmod watch }; +allow filesystem_unconfined_type filesystem_type:blk_file { manage_blk_file_perms relabel_blk_file_perms map execute quotaon mounton audit_access execmod watch }; +allow filesystem_unconfined_type filesystem_type:chr_file { manage_chr_file_perms relabel_chr_file_perms map execute quotaon mounton audit_access execmod watch }; +allow filesystem_unconfined_type filesystem_type:dir { manage_dir_perms relabel_dir_perms append map execute quotaon mounton add_name remove_name reparent search rmdir audit_access execmod watch }; ifdef(`distro_gentoo',` # Fix bug 535986 - Mark configfs_t as file type (and mountpoint probably as well) diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if index 7f1b64449..57adb2682 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -270,7 +270,7 @@ interface(`kernel_rw_pipes',` type kernel_t; ') - allow $1 kernel_t:fifo_file { read write }; + allow $1 kernel_t:fifo_file rw_inherited_fifo_file_perms; ') ######################################## @@ -3115,7 +3115,7 @@ interface(`kernel_relabelfrom_unlabeled_files',` ') kernel_list_unlabeled($1) - allow $1 unlabeled_t:file { getattr relabelfrom }; + allow $1 unlabeled_t:file relabelfrom_file_perms; ') ######################################## @@ -3134,7 +3134,7 @@ interface(`kernel_relabelfrom_unlabeled_symlinks',` ') kernel_list_unlabeled($1) - allow $1 unlabeled_t:lnk_file { getattr relabelfrom }; + allow $1 unlabeled_t:lnk_file relabelfrom_lnk_file_perms; ') ######################################## @@ -3153,7 +3153,7 @@ interface(`kernel_relabelfrom_unlabeled_pipes',` ') kernel_list_unlabeled($1) - allow $1 unlabeled_t:fifo_file { getattr relabelfrom }; + allow $1 unlabeled_t:fifo_file relabelfrom_fifo_file_perms; ') ######################################## @@ -3190,7 +3190,7 @@ interface(`kernel_relabelfrom_unlabeled_sockets',` ') kernel_list_unlabeled($1) - allow $1 unlabeled_t:sock_file { getattr relabelfrom }; + allow $1 unlabeled_t:sock_file relabelfrom_sock_file_perms; ') ######################################## @@ -3226,7 +3226,7 @@ interface(`kernel_relabelfrom_unlabeled_blk_devs',` type unlabeled_t; ') - allow $1 unlabeled_t:blk_file { getattr relabelfrom }; + allow $1 unlabeled_t:blk_file relabelfrom_blk_file_perms; ') ######################################## @@ -3244,7 +3244,7 @@ interface(`kernel_relabelfrom_unlabeled_chr_devs',` type unlabeled_t; ') - allow $1 unlabeled_t:chr_file { getattr relabelfrom }; + allow $1 unlabeled_t:chr_file relabelfrom_chr_file_perms; ') ######################################## diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index 3e805c7ad..decc763bf 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -520,21 +520,21 @@ if( ! secure_mode_insmod ) { # Rules for unconfined access to this module # -allow kern_unconfined proc_type:dir { manage_dir_perms relabelfrom relabelto append map execute quotaon mounton audit_access execmod watch }; -allow kern_unconfined proc_type:lnk_file { manage_lnk_file_perms relabelfrom relabelto append map execute quotaon mounton open audit_access execmod watch }; -allow kern_unconfined proc_type:file { manage_file_perms relabelfrom relabelto map execute quotaon mounton execute_no_trans audit_access watch }; +allow kern_unconfined proc_type:dir { manage_dir_perms relabel_dir_perms append map execute quotaon mounton audit_access execmod watch }; +allow kern_unconfined proc_type:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms append map execute quotaon mounton open audit_access execmod watch }; +allow kern_unconfined proc_type:file { manage_file_perms relabel_file_perms exec_file_perms quotaon mounton audit_access watch }; -allow kern_unconfined sysctl_type:dir { manage_dir_perms relabelfrom relabelto append map execute quotaon mounton audit_access execmod watch }; -allow kern_unconfined sysctl_type:file { manage_file_perms relabelfrom relabelto map execute quotaon mounton execute_no_trans audit_access watch }; +allow kern_unconfined sysctl_type:dir { manage_dir_perms relabel_dir_perms append map execute quotaon mounton audit_access execmod watch }; +allow kern_unconfined sysctl_type:file { manage_file_perms relabel_file_perms exec_file_perms quotaon mounton audit_access watch }; allow kern_unconfined kernel_t:system { ipc_info syslog_read syslog_mod syslog_console module_request module_load halt reboot status start stop enable disable reload }; -allow kern_unconfined unlabeled_t:file { manage_file_perms relabelfrom relabelto map execute quotaon mounton execute_no_trans audit_access watch }; -allow kern_unconfined unlabeled_t:lnk_file { manage_lnk_file_perms relabelfrom relabelto append map execute quotaon mounton open audit_access execmod watch }; -allow kern_unconfined unlabeled_t:sock_file { manage_sock_file_perms relabelfrom relabelto map execute quotaon mounton audit_access execmod watch }; -allow kern_unconfined unlabeled_t:fifo_file { manage_fifo_file_perms relabelfrom relabelto map execute quotaon mounton audit_access execmod watch }; -allow kern_unconfined unlabeled_t:blk_file { manage_blk_file_perms relabelfrom relabelto map execute quotaon mounton audit_access execmod watch }; -allow kern_unconfined unlabeled_t:chr_file { manage_chr_file_perms relabelfrom relabelto map execute quotaon mounton audit_access watch }; +allow kern_unconfined unlabeled_t:file { manage_file_perms relabel_file_perms exec_file_perms quotaon mounton audit_access watch }; +allow kern_unconfined unlabeled_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms append map execute quotaon mounton open audit_access execmod watch }; +allow kern_unconfined unlabeled_t:sock_file { manage_sock_file_perms relabel_sock_file_perms map execute quotaon mounton audit_access execmod watch }; +allow kern_unconfined unlabeled_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms map execute quotaon mounton audit_access execmod watch }; +allow kern_unconfined unlabeled_t:blk_file { manage_blk_file_perms relabel_blk_file_perms map execute quotaon mounton audit_access execmod watch }; +allow kern_unconfined unlabeled_t:chr_file { manage_chr_file_perms relabel_chr_file_perms map execute quotaon mounton audit_access watch }; allow kern_unconfined unlabeled_t:dir { manage_dir_perms relabelfrom relabelto append map execute quotaon mounton add_name remove_name reparent search rmdir audit_access execmod watch }; allow kern_unconfined unlabeled_t:filesystem { mount remount unmount getattr relabelfrom relabelto associate quotamod quotaget watch }; allow kern_unconfined unlabeled_t:association { sendto recvfrom setcontext polmatch }; diff --git a/policy/modules/kernel/storage.te b/policy/modules/kernel/storage.te index 739c24afe..a1cea2a5b 100644 --- a/policy/modules/kernel/storage.te +++ b/policy/modules/kernel/storage.te @@ -55,5 +55,5 @@ dev_node(tape_device_t) # Unconfined access to this module # -allow storage_unconfined_type { fixed_disk_device_t removable_device_t }:blk_file { manage_blk_file_perms relabelfrom relabelto map execute quotaon mounton audit_access execmod }; -allow storage_unconfined_type { scsi_generic_device_t tape_device_t }:chr_file { manage_chr_file_perms relabelfrom relabelto map execute quotaon mounton execmod audit_access }; +allow storage_unconfined_type { fixed_disk_device_t removable_device_t }:blk_file { manage_blk_file_perms relabel_blk_file_perms map execute quotaon mounton audit_access execmod }; +allow storage_unconfined_type { scsi_generic_device_t tape_device_t }:chr_file { manage_chr_file_perms relabel_chr_file_perms map execute quotaon mounton execmod audit_access }; diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if index 43c93e449..2916fbbba 100644 --- a/policy/modules/kernel/terminal.if +++ b/policy/modules/kernel/terminal.if @@ -707,7 +707,7 @@ interface(`term_use_generic_ptys',` dev_list_all_dev_nodes($1) allow $1 devpts_t:dir list_dir_perms; - allow $1 devpts_t:chr_file { rw_term_perms lock append }; + allow $1 devpts_t:chr_file rw_chr_file_perms; ') ######################################## @@ -787,7 +787,7 @@ interface(`term_use_controlling_term',` ') dev_list_all_dev_nodes($1) - allow $1 devtty_t:chr_file { rw_term_perms lock append }; + allow $1 devtty_t:chr_file rw_chr_file_perms; ') ####################################### @@ -1007,7 +1007,7 @@ interface(`term_use_all_ptys',` dev_list_all_dev_nodes($1) allow $1 devpts_t:dir list_dir_perms; - allow $1 ptynode:chr_file { rw_term_perms lock append }; + allow $1 ptynode:chr_file rw_chr_file_perms; ') ######################################## @@ -1025,7 +1025,7 @@ interface(`term_dontaudit_use_all_ptys',` attribute ptynode; ') - dontaudit $1 ptynode:chr_file { rw_term_perms lock append }; + dontaudit $1 ptynode:chr_file rw_chr_file_perms; ') ######################################## @@ -1086,7 +1086,7 @@ interface(`term_setattr_unlink_unallocated_ttys',` ') dev_list_all_dev_nodes($1) - allow $1 tty_device_t:chr_file { getattr setattr unlink }; + allow $1 tty_device_t:chr_file { delete_chr_file_perms setattr }; ') ######################################## diff --git a/policy/modules/services/afs.if b/policy/modules/services/afs.if index d934f4549..9f5b8f5b9 100644 --- a/policy/modules/services/afs.if +++ b/policy/modules/services/afs.if @@ -54,7 +54,7 @@ interface(`afs_rw_cache',` ') files_search_var($1) - allow $1 afs_cache_t:file { read write }; + allow $1 afs_cache_t:file rw_file_perms; ') ######################################## diff --git a/policy/modules/services/boinc.te b/policy/modules/services/boinc.te index 8ff59d33a..6b1a2d005 100644 --- a/policy/modules/services/boinc.te +++ b/policy/modules/services/boinc.te @@ -181,7 +181,7 @@ allow boinc_project_t boinc_project_var_lib_t:file execmod; can_exec(boinc_project_t, boinc_project_var_lib_t) allow boinc_project_t boinc_t:shm rw_shm_perms; -allow boinc_project_t boinc_tmpfs_t:file { read write }; +allow boinc_project_t boinc_tmpfs_t:file rw_inherited_file_perms; kernel_read_kernel_sysctls(boinc_project_t) kernel_read_network_state(boinc_project_t) diff --git a/policy/modules/services/courier.te b/policy/modules/services/courier.te index 9395b0d49..73b23268a 100644 --- a/policy/modules/services/courier.te +++ b/policy/modules/services/courier.te @@ -139,7 +139,7 @@ allow courier_pop_t courier_authdaemon_t:process sigchld; allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms; -allow courier_pop_t courier_var_lib_t:file { read write }; +allow courier_pop_t courier_var_lib_t:file rw_inherited_file_perms; stream_connect_pattern(courier_pop_t, courier_var_lib_t, courier_var_lib_t, courier_authdaemon_t) diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if index 4fb832ffa..11b9a836c 100644 --- a/policy/modules/services/cron.if +++ b/policy/modules/services/cron.if @@ -77,10 +77,10 @@ interface(`cron_role',` domtrans_pattern($2, crontab_exec_t, crontab_t) - dontaudit crond_t $2:process { noatsecure siginh rlimitinh }; + dontaudit crond_t $2:process { noatsecure rlimitinh siginh }; allow $2 crond_t:process sigchld; - allow $2 user_cron_spool_t:file { getattr read write ioctl }; + allow $2 user_cron_spool_t:file rw_inherited_file_perms; allow $2 crontab_t:process { ptrace signal_perms }; ps_process_pattern($2, crontab_t) @@ -161,7 +161,7 @@ interface(`cron_unconfined_role',` dontaudit crond_t $2:process { noatsecure siginh rlimitinh }; allow $2 crond_t:process sigchld; - allow $2 user_cron_spool_t:file { getattr read write ioctl }; + allow $2 user_cron_spool_t:file rw_inherited_file_perms; allow $2 crontab_t:process { ptrace signal_perms }; ps_process_pattern($2, crontab_t) @@ -243,7 +243,7 @@ interface(`cron_admin_role',` dontaudit crond_t $2:process { noatsecure siginh rlimitinh }; allow $2 crond_t:process sigchld; - allow $2 user_cron_spool_t:file { getattr read write ioctl }; + allow $2 user_cron_spool_t:file rw_inherited_file_perms; allow $2 admin_crontab_t:process { ptrace signal_perms }; ps_process_pattern($2, admin_crontab_t) diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if index 8cb6c8ca9..e547337c3 100644 --- a/policy/modules/services/dbus.if +++ b/policy/modules/services/dbus.if @@ -362,7 +362,7 @@ interface(`dbus_relabel_lib_dirs',` ') files_search_var_lib($1) - allow $1 system_dbusd_var_lib_t:dir { relabelfrom relabelto }; + allow $1 system_dbusd_var_lib_t:dir relabel_dir_perms; ') ######################################## diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te index 016170b38..ddeefcc79 100644 --- a/policy/modules/services/dbus.te +++ b/policy/modules/services/dbus.te @@ -232,7 +232,7 @@ optional_policy(` dontaudit session_bus_type self:capability sys_resource; allow session_bus_type self:process { getattr sigkill signal }; dontaudit session_bus_type self:process { ptrace setrlimit }; -allow session_bus_type self:file { getattr read write }; +allow session_bus_type self:file rw_inherited_file_perms; allow session_bus_type self:fifo_file rw_fifo_file_perms; allow session_bus_type self:dbus { send_msg acquire_svc }; allow session_bus_type self:unix_stream_socket { accept listen }; diff --git a/policy/modules/services/dirmngr.if b/policy/modules/services/dirmngr.if index 655e193b8..e900973b9 100644 --- a/policy/modules/services/dirmngr.if +++ b/policy/modules/services/dirmngr.if @@ -29,7 +29,7 @@ interface(`dirmngr_role',` ps_process_pattern($2, dirmngr_t) allow dirmngr_t $2:fd use; - allow dirmngr_t $2:fifo_file { read write }; + allow dirmngr_t $2:fifo_file rw_inherited_fifo_file_perms; allow $2 dirmngr_tmp_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; ') diff --git a/policy/modules/services/fail2ban.if b/policy/modules/services/fail2ban.if index 469d717c1..db8c999b9 100644 --- a/policy/modules/services/fail2ban.if +++ b/policy/modules/services/fail2ban.if @@ -102,7 +102,7 @@ interface(`fail2ban_rw_inherited_tmp_files',` ') files_search_tmp($1) - allow $1 fail2ban_tmp_t:file { read write }; + allow $1 fail2ban_tmp_t:file rw_inherited_file_perms; ') ######################################## diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if index e0cb926aa..42b96b369 100644 --- a/policy/modules/services/postfix.if +++ b/policy/modules/services/postfix.if @@ -259,7 +259,7 @@ interface(`postfix_rw_inherited_master_pipes',` ') allow $1 postfix_master_t:fd use; - allow $1 postfix_master_t:fifo_file { getattr write append lock ioctl read }; + allow $1 postfix_master_t:fifo_file rw_inherited_fifo_file_perms; ') ######################################## diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if index f06e425e3..6089d18d3 100644 --- a/policy/modules/services/postgresql.if +++ b/policy/modules/services/postgresql.if @@ -331,7 +331,7 @@ interface(`postgresql_manage_db',` allow $1 postgresql_db_t:dir rw_dir_perms; allow $1 postgresql_db_t:file rw_file_perms; - allow $1 postgresql_db_t:lnk_file { getattr read }; + allow $1 postgresql_db_t:lnk_file read_lnk_file_perms; ') ####################################### diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te index 7ca8639ff..e8317f4e8 100644 --- a/policy/modules/services/postgresql.te +++ b/policy/modules/services/postgresql.te @@ -216,7 +216,7 @@ allow postgresql_t self:capability { chown dac_override dac_read_search fowner f dontaudit postgresql_t self:capability { sys_admin sys_tty_config }; allow postgresql_t self:process signal_perms; allow postgresql_t self:fifo_file rw_fifo_file_perms; -allow postgresql_t self:file { getattr read }; +allow postgresql_t self:file read_inherited_file_perms; allow postgresql_t self:sem create_sem_perms; allow postgresql_t self:shm create_shm_perms; allow postgresql_t self:tcp_socket create_stream_socket_perms; @@ -266,7 +266,7 @@ allow postgresql_t postgresql_etc_t:dir list_dir_perms; read_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t) read_lnk_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t) -allow postgresql_t postgresql_exec_t:lnk_file { getattr read }; +allow postgresql_t postgresql_exec_t:lnk_file read_lnk_file_perms; can_exec(postgresql_t, postgresql_exec_t ) allow postgresql_t postgresql_lock_t:file manage_file_perms; diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if index bc78b4c71..f38c211e0 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -528,7 +528,7 @@ interface(`ssh_rw_pipes',` type sshd_t; ') - allow $1 sshd_t:fifo_file { write read getattr ioctl }; + allow $1 sshd_t:fifo_file rw_inherited_fifo_file_perms; ') ######################################## diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te index d257e829f..3b9afb6e3 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -217,7 +217,7 @@ optional_policy(` allow ssh_keysign_t self:capability { setgid setuid }; allow ssh_keysign_t self:unix_stream_socket create_socket_perms; -allow ssh_keysign_t sshd_key_t:file { getattr read }; +allow ssh_keysign_t sshd_key_t:file read_inherited_file_perms; dev_read_urand(ssh_keysign_t) diff --git a/policy/modules/services/tpm2.te b/policy/modules/services/tpm2.te index c906c8b0d..19bfa5cd5 100644 --- a/policy/modules/services/tpm2.te +++ b/policy/modules/services/tpm2.te @@ -23,7 +23,7 @@ application_domain(tpm2_t, tpm2_exec_t) allow tpm2_abrmd_t self:process signal; allow tpm2_abrmd_t self:unix_stream_socket create_socket_perms; -allow tpm2_abrmd_t self:fifo_file { read write }; +allow tpm2_abrmd_t self:fifo_file rw_inherited_fifo_file_perms; dev_rw_tpm(tpm2_abrmd_t) diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te index 21882f88d..4dba3ceb4 100644 --- a/policy/modules/services/virt.te +++ b/policy/modules/services/virt.te @@ -459,7 +459,7 @@ tunable_policy(`virt_use_vfio',` allow virtd_t self:capability { chown dac_override dac_read_search fowner fsetid ipc_lock kill mknod net_admin net_raw setgid setpcap setuid sys_admin sys_chroot sys_nice sys_ptrace }; allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setrlimit setsockcreate setsched }; -allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto }; +allow virtd_t self:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; allow virtd_t self:unix_stream_socket { accept connectto listen relabelfrom relabelto }; allow virtd_t self:tcp_socket { accept listen }; allow virtd_t self:tun_socket { create_socket_perms relabelfrom relabelto }; diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if index b6f98d15f..baa39ef87 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -70,7 +70,7 @@ interface(`xserver_restricted_role',` # for when /tmp/.X11-unix is created by the system allow $2 xdm_t:fd use; - allow $2 xdm_t:fifo_file { getattr read write ioctl }; + allow $2 xdm_t:fifo_file rw_inherited_fifo_file_perms; allow $2 xdm_tmp_t:dir search; allow $2 xdm_tmp_t:sock_file { read write }; dontaudit $2 xdm_t:tcp_socket { read write }; @@ -80,7 +80,7 @@ interface(`xserver_restricted_role',` allow $2 xserver_tmpfs_t:file read_file_perms; # Read /tmp/.X0-lock - allow $2 xserver_tmp_t:file { getattr read }; + allow $2 xserver_tmp_t:file read_inherited_file_perms; dev_rw_xserver_misc($2) dev_map_xserver_misc($2) @@ -153,10 +153,10 @@ interface(`xserver_role',` allow $2 xserver_tmp_t:file rw_file_perms; allow $2 iceauth_home_t:file manage_file_perms; - allow $2 iceauth_home_t:file { relabelfrom relabelto }; + allow $2 iceauth_home_t:file relabel_file_perms; allow $2 xauth_home_t:file manage_file_perms; - allow $2 xauth_home_t:file { relabelfrom relabelto }; + allow $2 xauth_home_t:file relabel_file_perms; manage_dirs_pattern($2, user_fonts_t, user_fonts_t) manage_files_pattern($2, user_fonts_t, user_fonts_t) @@ -248,7 +248,7 @@ interface(`xserver_ro_session',` allow $1 xserver_t:process signal; # Read /tmp/.X0-lock - allow $1 xserver_tmp_t:file { getattr read }; + allow $1 xserver_tmp_t:file read_inherited_file_perms; # Client read xserver shm allow $1 xserver_t:fd use; @@ -451,7 +451,7 @@ template(`xserver_user_x_domain_template',` # for when /tmp/.X11-unix is created by the system allow $2 xdm_t:fd use; - allow $2 xdm_t:fifo_file { getattr read write ioctl }; + allow $2 xdm_t:fifo_file rw_inherited_fifo_file_perms; allow $2 xdm_tmp_t:dir search_dir_perms; allow $2 xdm_tmp_t:sock_file { read write }; dontaudit $2 xdm_t:tcp_socket { read write }; @@ -734,7 +734,7 @@ interface(`xserver_relabel_console_pipes',` type xconsole_device_t; ') - allow $1 xconsole_device_t:fifo_file { getattr relabelfrom relabelto }; + allow $1 xconsole_device_t:fifo_file relabel_fifo_file_perms; ') ######################################## @@ -807,7 +807,7 @@ interface(`xserver_rw_xdm_pipes',` type xdm_t; ') - allow $1 xdm_t:fifo_file { getattr read write }; + allow $1 xdm_t:fifo_file rw_inherited_fifo_file_perms; ') ######################################## diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te index eb1aa5c4a..83c783681 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -847,7 +847,7 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! -allow xserver_t xdm_var_lib_t:file { getattr read }; +allow xserver_t xdm_var_lib_t:file read_inherited_file_perms; dontaudit xserver_t xdm_var_lib_t:dir search; read_files_pattern(xserver_t, xdm_var_run_t, xdm_var_run_t) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if index c25fe5ec7..bb5a0c6ac 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -907,7 +907,7 @@ interface(`auth_relabel_lastlog',` ') logging_search_logs($1) - allow $1 lastlog_t:file { relabelfrom relabelto }; + allow $1 lastlog_t:file relabel_file_perms; ') ####################################### diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index 4c929373b..ff8f7db79 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -1313,7 +1313,7 @@ interface(`init_relabel_var_lib_dirs',` type init_var_lib_t; ') - allow $1 init_var_lib_t:dir { relabelfrom relabelto }; + allow $1 init_var_lib_t:dir relabel_dir_perms; ') ######################################## @@ -2550,7 +2550,7 @@ interface(`init_rw_script_pipes',` type initrc_t; ') - allow $1 initrc_t:fifo_file { read write }; + allow $1 initrc_t:fifo_file rw_inherited_fifo_file_perms; ') ######################################## @@ -2674,7 +2674,7 @@ interface(`init_use_script_ptys',` ') term_list_ptys($1) - allow $1 initrc_devpts_t:chr_file { rw_term_perms lock append }; + allow $1 initrc_devpts_t:chr_file rw_chr_file_perms; ') ######################################## @@ -2693,7 +2693,7 @@ interface(`init_use_inherited_script_ptys',` ') term_list_ptys($1) - allow $1 initrc_devpts_t:chr_file { getattr read write ioctl }; + allow $1 initrc_devpts_t:chr_file rw_inherited_term_perms; init_use_fds($1) ') @@ -2937,7 +2937,7 @@ interface(`init_write_utmp',` ') files_list_runtime($1) - allow $1 initrc_runtime_t:file { getattr open write }; + allow $1 initrc_runtime_t:file write_file_perms; ') ######################################## @@ -3030,7 +3030,7 @@ interface(`init_relabel_utmp',` type initrc_runtime_t; ') - allow $1 initrc_runtime_t:file { relabelfrom relabelto }; + allow $1 initrc_runtime_t:file relabel_file_perms; ') ######################################## diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index f2af4d69d..c74618133 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -252,8 +252,8 @@ ifdef(`init_systemd',` allow init_t init_path_unit_loc_type:{ dir file } { getattr watch }; # for /run/systemd/inaccessible/{chr,blk} - allow init_t init_runtime_t:blk_file { create getattr }; - allow init_t init_runtime_t:chr_file { create getattr }; + allow init_t init_runtime_t:blk_file create_blk_file_perms; + allow init_t init_runtime_t:chr_file create_chr_file_perms; allow init_t systemprocess:process { dyntransition siginh }; allow init_t systemprocess:unix_stream_socket create_stream_socket_perms; diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if index ff5f9bef3..ae993536a 100644 --- a/policy/modules/system/logging.if +++ b/policy/modules/system/logging.if @@ -519,7 +519,7 @@ interface(`logging_relabel_syslogd_tmp_files',` type syslogd_tmp_t; ') - allow $1 syslogd_tmp_t:file { relabelfrom relabelto }; + allow $1 syslogd_tmp_t:file relabel_file_perms; ') ######################################## @@ -557,7 +557,7 @@ interface(`logging_relabel_syslogd_tmp_dirs',` type syslogd_tmp_t; ') - allow $1 syslogd_tmp_t:dir { relabelfrom relabelto }; + allow $1 syslogd_tmp_t:dir relabel_dir_perms; ') ######################################## @@ -1191,7 +1191,7 @@ interface(`logging_relabel_generic_log_dirs',` ') files_search_var($1) - allow $1 var_log_t:dir { relabelfrom relabelto }; + allow $1 var_log_t:dir relabel_dir_perms; ') ######################################## diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if index f4f8afe6e..3e88974f2 100644 --- a/policy/modules/system/sysnetwork.if +++ b/policy/modules/system/sysnetwork.if @@ -461,7 +461,7 @@ interface(`sysnet_relabel_config',` ') files_search_etc($1) - allow $1 net_conf_t:file { relabelfrom relabelto }; + allow $1 net_conf_t:file relabel_file_perms; ') ####################################### diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 54c2a2139..4fe1690ca 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -448,7 +448,7 @@ optional_policy(` kernel_read_kernel_sysctls(systemd_hw_t) -allow systemd_hw_t systemd_hwdb_t:file { manage_file_perms relabelfrom relabelto }; +allow systemd_hw_t systemd_hwdb_t:file { manage_file_perms relabel_file_perms }; files_etc_filetrans(systemd_hw_t, systemd_hwdb_t, file) files_search_runtime(systemd_hw_t) @@ -1151,15 +1151,15 @@ systemd_log_parse_environment(systemd_sysusers_t) allow systemd_tmpfiles_t self:capability { chown dac_override dac_read_search fowner fsetid mknod net_admin sys_admin }; allow systemd_tmpfiles_t self:process { setfscreate getcap }; -allow systemd_tmpfiles_t systemd_coredump_var_lib_t:dir { relabelfrom relabelto manage_dir_perms }; +allow systemd_tmpfiles_t systemd_coredump_var_lib_t:dir { manage_dir_perms relabel_dir_perms }; allow systemd_tmpfiles_t systemd_coredump_var_lib_t:file manage_file_perms; -allow systemd_tmpfiles_t systemd_sessions_runtime_t:file { relabelfrom relabelto manage_file_perms }; +allow systemd_tmpfiles_t systemd_sessions_runtime_t:file { manage_file_perms relabel_file_perms }; manage_dirs_pattern(systemd_tmpfiles_t, systemd_journal_t, systemd_journal_t) manage_files_pattern(systemd_tmpfiles_t, systemd_journal_t, systemd_journal_t) -allow systemd_tmpfiles_t systemd_journal_t:dir { relabelfrom relabelto }; -allow systemd_tmpfiles_t systemd_journal_t:file { relabelfrom relabelto }; +allow systemd_tmpfiles_t systemd_journal_t:dir relabel_dir_perms; +allow systemd_tmpfiles_t systemd_journal_t:file relabel_file_perms; allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:dir list_dir_perms; allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms; diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index 4d53e4d49..40cc6a10f 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -3220,7 +3220,7 @@ interface(`userdom_relabel_user_tmpfs_dirs',` type user_tmpfs_t; ') - allow $1 user_tmpfs_t:dir { list_dir_perms relabelto relabelfrom }; + allow $1 user_tmpfs_t:dir { list_dir_perms relabel_dir_perms }; fs_search_tmpfs($1) ') @@ -3240,7 +3240,7 @@ interface(`userdom_relabel_user_tmpfs_files',` ') allow $1 user_tmpfs_t:dir list_dir_perms; - allow $1 user_tmpfs_t:file { relabelto relabelfrom }; + allow $1 user_tmpfs_t:file relabel_file_perms; fs_search_tmpfs($1) ') @@ -3339,7 +3339,7 @@ interface(`userdom_relabel_user_runtime_root_dirs',` type user_runtime_root_t; ') - allow $1 user_runtime_root_t:dir { relabelfrom relabelto }; + allow $1 user_runtime_root_t:dir relabel_dir_perms; ') ######################################## diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te index 7807f1e45..db374e935 100644 --- a/policy/modules/system/xen.te +++ b/policy/modules/system/xen.te @@ -129,7 +129,7 @@ init_system_domain(xm_t, xm_exec_t) tunable_policy(`xend_run_blktap',` domtrans_pattern(xend_t, blktap_exec_t, blktap_t) - allow blktap_t self:fifo_file { read write }; + allow blktap_t self:fifo_file rw_inherited_fifo_file_perms; dev_read_sysfs(blktap_t) dev_rw_xen(blktap_t) |