From ef659a476ef732e46815279ee55aa9f9a05fc002 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Oct 09 2007 17:29:48 +0000 Subject: Deprecate some old file and dir permission set macros in favor of the newer, more consistently-named macros. --- diff --git a/Changelog b/Changelog index 2db03ad..2c8b537 100644 --- a/Changelog +++ b/Changelog @@ -1,3 +1,5 @@ +- Deprecate some old file and dir permission set macros in favor of the + newer, more consistently-named macros. - Patch to clean up unescaped periods in several file context entries from Jan-Frode Myklebust. - Merge shlib_t into lib_t. diff --git a/doc/example.te b/doc/example.te index d624e0c..8238355 100644 --- a/doc/example.te +++ b/doc/example.te @@ -22,7 +22,7 @@ files_tmp_file(myapp_tmp_t) # Myapp local policy # -allow myapp_t myapp_log_t:file ra_file_perms; +allow myapp_t myapp_log_t:file { read_file_perms append_file_perms }; allow myapp_t myapp_tmp_t:file manage_file_perms; files_tmp_filetrans(myapp_t,myapp_tmp_t,file) diff --git a/policy/modules/admin/dpkg.te b/policy/modules/admin/dpkg.te index 7282d4a..84f2f38 100644 --- a/policy/modules/admin/dpkg.te +++ b/policy/modules/admin/dpkg.te @@ -214,7 +214,7 @@ optional_policy(` allow dpkg_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill }; allow dpkg_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow dpkg_script_t self:fd use; -allow dpkg_script_t self:fifo_file rw_file_perms; +allow dpkg_script_t self:fifo_file rw_fifo_file_perms; allow dpkg_script_t self:unix_dgram_socket create_socket_perms; allow dpkg_script_t self:unix_stream_socket rw_stream_socket_perms; allow dpkg_script_t self:unix_dgram_socket sendto; @@ -224,7 +224,7 @@ allow dpkg_script_t self:sem create_sem_perms; allow dpkg_script_t self:msgq create_msgq_perms; allow dpkg_script_t self:msg { send receive }; -allow dpkg_script_t dpkg_tmp_t:file r_file_perms; +allow dpkg_script_t dpkg_tmp_t:file read_file_perms; allow dpkg_script_t dpkg_script_tmp_t:dir { manage_dir_perms mounton }; allow dpkg_script_t dpkg_script_tmp_t:file manage_file_perms; @@ -232,9 +232,9 @@ files_tmp_filetrans(dpkg_script_t, dpkg_script_tmp_t, { file dir }) allow dpkg_script_t dpkg_script_tmpfs_t:dir manage_dir_perms; allow dpkg_script_t dpkg_script_tmpfs_t:file manage_file_perms; -allow dpkg_script_t dpkg_script_tmpfs_t:lnk_file create_lnk_perms; -allow dpkg_script_t dpkg_script_tmpfs_t:sock_file manage_file_perms; -allow dpkg_script_t dpkg_script_tmpfs_t:fifo_file manage_file_perms; +allow dpkg_script_t dpkg_script_tmpfs_t:lnk_file manage_lnk_file_perms; +allow dpkg_script_t dpkg_script_tmpfs_t:sock_file manage_sock_file_perms; +allow dpkg_script_t dpkg_script_tmpfs_t:fifo_file manage_fifo_file_perms; fs_tmpfs_filetrans(dpkg_script_t,dpkg_script_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) kernel_read_kernel_sysctls(dpkg_script_t) diff --git a/policy/modules/admin/kudzu.te b/policy/modules/admin/kudzu.te index 92bea6b..81750c6 100644 --- a/policy/modules/admin/kudzu.te +++ b/policy/modules/admin/kudzu.te @@ -165,5 +165,5 @@ optional_policy(` role system_r types sysadm_userhelper_t; domain_auto_trans(kudzu_t, userhelper_exec_t, sysadm_userhelper_t) ') -allow kudzu_t cupsd_rw_etc_t:dir r_dir_perms; +allow kudzu_t cupsd_rw_etc_t:dir list_dir_perms; ') diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te index fcae4a7..271e1a3 100644 --- a/policy/modules/admin/logrotate.te +++ b/policy/modules/admin/logrotate.te @@ -183,15 +183,3 @@ optional_policy(` # cjp: why? squid_domtrans(logrotate_t) ') - -ifdef(`TODO',` -# it should not require this -allow logrotate_t {staff_home_dir_t sysadm_home_dir_t}:dir { getattr read search }; - -# for /var/backups on Debian -ifdef(`backup.te', ` -rw_dir_create_file(logrotate_t, backup_store_t) -') - -allow logrotate_t syslogd_exec_t:file r_file_perms; -') dnl end TODO diff --git a/policy/modules/admin/portage.if b/policy/modules/admin/portage.if index 3fe9309..401120a 100644 --- a/policy/modules/admin/portage.if +++ b/policy/modules/admin/portage.if @@ -24,7 +24,7 @@ interface(`portage_domtrans',` # constraining domain domain_trans($1,portage_exec_t,portage_t) allow portage_t $1:fd use; - allow portage_t $1:fifo_file rw_file_perms; + allow portage_t $1:fifo_file rw_fifo_file_perms; allow portage_t $1:process sigchld; # transition to portage @@ -346,7 +346,8 @@ interface(`portage_main_domain',` # seems to work ok without these dontaudit portage_t device_t:{ blk_file chr_file } getattr; dontaudit portage_t proc_t:dir setattr; - dontaudit portage_t device_type:{ chr_file blk_file } r_file_perms; + dontaudit portage_t device_type:chr_file read_chr_file_perms; + dontaudit portage_t device_type:blk_file read_blk_file_perms; ') ') diff --git a/policy/modules/apps/evolution.if b/policy/modules/apps/evolution.if index 681ea93..133c62e 100644 --- a/policy/modules/apps/evolution.if +++ b/policy/modules/apps/evolution.if @@ -118,7 +118,7 @@ template(`evolution_per_role_template',` allow $1_evolution_t $1_evolution_home_t:dir manage_dir_perms; allow $1_evolution_t $1_evolution_home_t:file manage_file_perms; - allow $1_evolution_t $1_evolution_home_t:lnk_file create_lnk_perms; + allow $1_evolution_t $1_evolution_home_t:lnk_file manage_lnk_file_perms; allow $1_evolution_t $1_evolution_orbit_tmp_t:dir manage_dir_perms; allow $1_evolution_t $1_evolution_orbit_tmp_t:file manage_file_perms; @@ -138,9 +138,9 @@ template(`evolution_per_role_template',` allow $1_evolution_t $1_evolution_tmpfs_t:dir rw_dir_perms; allow $1_evolution_t $1_evolution_tmpfs_t:file manage_file_perms; - allow $1_evolution_t $1_evolution_tmpfs_t:lnk_file create_lnk_perms; - allow $1_evolution_t $1_evolution_tmpfs_t:sock_file manage_file_perms; - allow $1_evolution_t $1_evolution_tmpfs_t:fifo_file manage_file_perms; + allow $1_evolution_t $1_evolution_tmpfs_t:lnk_file manage_lnk_file_perms; + allow $1_evolution_t $1_evolution_tmpfs_t:sock_file manage_sock_file_perms; + allow $1_evolution_t $1_evolution_tmpfs_t:fifo_file manage_fifo_file_perms; fs_tmpfs_filetrans($1_evolution_t,$1_evolution_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) allow $1_evolution_t $2:dir search; @@ -161,7 +161,7 @@ template(`evolution_per_role_template',` # Access .evolution allow $2 $1_evolution_home_t:dir manage_dir_perms; allow $2 $1_evolution_home_t:file manage_file_perms; - allow $2 $1_evolution_home_t:lnk_file create_lnk_perms; + allow $2 $1_evolution_home_t:lnk_file manage_lnk_file_perms; allow $2 $1_evolution_home_t:{ dir file lnk_file } { relabelfrom relabelto }; userdom_search_user_home_dirs($1,$1_evolution_t) @@ -477,9 +477,9 @@ template(`evolution_per_role_template',` allow $1_evolution_alarm_t $1_evolution_alarm_tmpfs_t:dir rw_dir_perms; allow $1_evolution_alarm_t $1_evolution_alarm_tmpfs_t:file manage_file_perms; - allow $1_evolution_alarm_t $1_evolution_alarm_tmpfs_t:lnk_file create_lnk_perms; - allow $1_evolution_alarm_t $1_evolution_alarm_tmpfs_t:sock_file manage_file_perms; - allow $1_evolution_alarm_t $1_evolution_alarm_tmpfs_t:fifo_file manage_file_perms; + allow $1_evolution_alarm_t $1_evolution_alarm_tmpfs_t:lnk_file manage_lnk_file_perms; + allow $1_evolution_alarm_t $1_evolution_alarm_tmpfs_t:sock_file manage_sock_file_perms; + allow $1_evolution_alarm_t $1_evolution_alarm_tmpfs_t:fifo_file manage_fifo_file_perms; fs_tmpfs_filetrans($1_evolution_alarm_t,$1_evolution_alarm_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) allow $1_evolution_alarm_t $1_evolution_exchange_t:unix_stream_socket connectto; @@ -488,7 +488,7 @@ template(`evolution_per_role_template',` # Access evolution home allow $1_evolution_alarm_t $1_evolution_home_t:dir manage_dir_perms; allow $1_evolution_alarm_t $1_evolution_home_t:file manage_file_perms; - allow $1_evolution_alarm_t $1_evolution_home_t:lnk_file create_lnk_perms; + allow $1_evolution_alarm_t $1_evolution_home_t:lnk_file manage_lnk_file_perms; allow $1_evolution_alarm_t $1_evolution_server_t:unix_stream_socket connectto; allow $1_evolution_alarm_t $1_evolution_server_orbit_tmp_t:sock_file write; @@ -564,7 +564,7 @@ template(`evolution_per_role_template',` # Access evolution home allow $1_evolution_exchange_t $1_evolution_home_t:dir manage_dir_perms; allow $1_evolution_exchange_t $1_evolution_home_t:file manage_file_perms; - allow $1_evolution_exchange_t $1_evolution_home_t:lnk_file create_lnk_perms; + allow $1_evolution_exchange_t $1_evolution_home_t:lnk_file manage_lnk_file_perms; allow $1_evolution_exchange_t $1_evolution_server_t:unix_stream_socket connectto; allow $1_evolution_exchange_t $1_evolution_server_orbit_tmp_t:sock_file write; @@ -576,9 +576,9 @@ template(`evolution_per_role_template',` allow $1_evolution_exchange_t $1_evolution_exchange_tmpfs_t:dir rw_dir_perms; allow $1_evolution_exchange_t $1_evolution_exchange_tmpfs_t:file manage_file_perms; - allow $1_evolution_exchange_t $1_evolution_exchange_tmpfs_t:lnk_file create_lnk_perms; - allow $1_evolution_exchange_t $1_evolution_exchange_tmpfs_t:sock_file manage_file_perms; - allow $1_evolution_exchange_t $1_evolution_exchange_tmpfs_t:fifo_file manage_file_perms; + allow $1_evolution_exchange_t $1_evolution_exchange_tmpfs_t:lnk_file manage_lnk_file_perms; + allow $1_evolution_exchange_t $1_evolution_exchange_tmpfs_t:sock_file manage_sock_file_perms; + allow $1_evolution_exchange_t $1_evolution_exchange_tmpfs_t:fifo_file manage_fifo_file_perms; fs_tmpfs_filetrans($1_evolution_exchange_t,$1_evolution_exchange_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) allow $1_evolution_exchange_t $2:unix_stream_socket connectto; @@ -664,7 +664,7 @@ template(`evolution_per_role_template',` # Access evolution home allow $1_evolution_server_t $1_evolution_home_t:dir manage_dir_perms; allow $1_evolution_server_t $1_evolution_home_t:file manage_file_perms; - allow $1_evolution_server_t $1_evolution_home_t:lnk_file create_lnk_perms; + allow $1_evolution_server_t $1_evolution_home_t:lnk_file manage_lnk_file_perms; allow $1_evolution_server_t $1_evolution_alarm_t:unix_stream_socket connectto; allow $1_evolution_server_t $1_evolution_alarm_orbit_tmp_t:sock_file write; @@ -747,9 +747,9 @@ template(`evolution_per_role_template',` # X/evolution common stuff allow $1_evolution_webcal_t $1_evolution_webcal_tmpfs_t:dir rw_dir_perms; allow $1_evolution_webcal_t $1_evolution_webcal_tmpfs_t:file manage_file_perms; - allow $1_evolution_webcal_t $1_evolution_webcal_tmpfs_t:lnk_file create_lnk_perms; - allow $1_evolution_webcal_t $1_evolution_webcal_tmpfs_t:sock_file manage_file_perms; - allow $1_evolution_webcal_t $1_evolution_webcal_tmpfs_t:fifo_file manage_file_perms; + allow $1_evolution_webcal_t $1_evolution_webcal_tmpfs_t:lnk_file manage_lnk_file_perms; + allow $1_evolution_webcal_t $1_evolution_webcal_tmpfs_t:sock_file manage_sock_file_perms; + allow $1_evolution_webcal_t $1_evolution_webcal_tmpfs_t:fifo_file manage_fifo_file_perms; fs_tmpfs_filetrans($1_evolution_webcal_t,$1_evolution_webcal_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) # Transition from user type diff --git a/policy/modules/apps/games.if b/policy/modules/apps/games.if index 130c389..629af63 100644 --- a/policy/modules/apps/games.if +++ b/policy/modules/apps/games.if @@ -158,7 +158,7 @@ template(`games_per_role_template',` # FIXME: Change to use per app types allow $1_games_t $1_gnome_settings_t:dir manage_dir_perms; allow $1_games_t $1_gnome_settings_t:file manage_file_perms; - allow $1_games_t $1_gnome_settings_t:lnk_file create_lnk_perms; + allow $1_games_t $1_gnome_settings_t:lnk_file manage_lnk_file_perms; #missing policy optional_policy(` dontaudit $1_games_t $1_mozilla_t:unix_stream_socket connectto; diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index cd19f57..2864179 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -161,7 +161,6 @@ interface(`dev_create_generic_dirs',` type device_t; ') - allow $1 device_t:dir { ra_dir_perms create }; create_dirs_pattern($1,device_t,device_t) ') diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if index 232b16d..cc331e0 100644 --- a/policy/modules/kernel/domain.if +++ b/policy/modules/kernel/domain.if @@ -90,7 +90,7 @@ interface(`domain_entry_file',` ') allow $1 $2:file entrypoint; - allow $1 $2:file rx_file_perms; + allow $1 $2:file { mmap_file_perms ioctl lock }; typeattribute $2 entry_type; diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te index 2b782be..8078685 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -76,8 +76,8 @@ neverallow ~{ domain unlabeled_t } *:process *; # # read /proc/(pid|self) entries -allow domain self:dir r_dir_perms; -allow domain self:lnk_file r_file_perms; +allow domain self:dir list_dir_perms; +allow domain self:lnk_file { read_lnk_file_perms lock ioctl }; allow domain self:file rw_file_perms; kernel_read_proc_symlinks(domain) @@ -128,9 +128,9 @@ allow unconfined_domain_type domain:{ sem msgq shm } *; allow unconfined_domain_type domain:msg { send receive }; # For /proc/pid -allow unconfined_domain_type domain:dir r_dir_perms; -allow unconfined_domain_type domain:file r_file_perms; -allow unconfined_domain_type domain:lnk_file r_file_perms; +allow unconfined_domain_type domain:dir list_dir_perms; +allow unconfined_domain_type domain:file read_file_perms; +allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; # act on all domains keys allow unconfined_domain_type domain:key *; diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index 8c7600f..e2b5f79 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -1120,7 +1120,7 @@ interface(`files_list_root',` ') allow $1 root_t:dir list_dir_perms; - allow $1 root_t:lnk_file r_file_perms; + allow $1 root_t:lnk_file { read_lnk_file_perms ioctl lock }; ') ######################################## @@ -3556,7 +3556,7 @@ interface(`files_create_kernel_symbol_table',` type boot_t, system_map_t; ') - allow $1 boot_t:dir ra_dir_perms; + allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms }; allow $1 system_map_t:file { rw_file_perms create }; ') diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index eb5a1b5..3828ab4 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -182,25 +182,26 @@ allow kernel_t self:unix_dgram_socket create_socket_perms; allow kernel_t self:unix_stream_socket create_stream_socket_perms; allow kernel_t self:unix_dgram_socket sendto; allow kernel_t self:unix_stream_socket connectto; -allow kernel_t self:fifo_file rw_file_perms; -allow kernel_t self:sock_file r_file_perms; +allow kernel_t self:fifo_file rw_fifo_file_perms; +allow kernel_t self:sock_file read_sock_file_perms; allow kernel_t self:fd use; -allow kernel_t proc_t:dir r_dir_perms; -allow kernel_t proc_t:{ lnk_file file } r_file_perms; +allow kernel_t proc_t:dir list_dir_perms; +allow kernel_t proc_t:file read_file_perms; +allow kernel_t proc_t:lnk_file read_lnk_file_perms; -allow kernel_t proc_net_t:dir r_dir_perms; -allow kernel_t proc_net_t:file r_file_perms; +allow kernel_t proc_net_t:dir list_dir_perms; +allow kernel_t proc_net_t:file read_file_perms; -allow kernel_t proc_mdstat_t:file r_file_perms; +allow kernel_t proc_mdstat_t:file read_file_perms; allow kernel_t proc_kcore_t:file getattr; allow kernel_t proc_kmsg_t:file getattr; -allow kernel_t sysctl_kernel_t:dir r_dir_perms; -allow kernel_t sysctl_kernel_t:file r_file_perms; -allow kernel_t sysctl_t:dir r_dir_perms; +allow kernel_t sysctl_kernel_t:dir list_dir_perms; +allow kernel_t sysctl_kernel_t:file read_file_perms; +allow kernel_t sysctl_t:dir list_dir_perms; # Other possible mount points for the root fs are in files allow kernel_t unlabeled_t:dir mounton; diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if index b61103c..55d294f 100644 --- a/policy/modules/services/cron.if +++ b/policy/modules/services/cron.if @@ -176,7 +176,7 @@ template(`cron_per_role_template',` ifdef(`mta.te', ` domain_auto_trans($1_crond_t, sendmail_exec_t, $1_mail_t) - allow $1_crond_t sendmail_exec_t:lnk_file r_file_perms; + allow $1_crond_t sendmail_exec_t:lnk_file read_lnk_file_perms; # $1_mail_t should only be reading from the cron fifo not needing to write dontaudit $1_mail_t crond_t:fifo_file write; diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te index bbb3207..526c8dd 100644 --- a/policy/modules/services/dovecot.te +++ b/policy/modules/services/dovecot.te @@ -159,7 +159,7 @@ allow dovecot_auth_t dovecot_passwd_t:file { getattr read }; manage_files_pattern(dovecot_t,dovecot_var_lib_t,dovecot_var_lib_t) files_search_var_lib(dovecot_t) -allow dovecot_auth_t dovecot_var_run_t:dir r_dir_perms; +allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms; kernel_read_all_sysctls(dovecot_auth_t) kernel_read_system_state(dovecot_auth_t) diff --git a/policy/modules/services/ftp.if b/policy/modules/services/ftp.if index f24bd26..6f73e15 100644 --- a/policy/modules/services/ftp.if +++ b/policy/modules/services/ftp.if @@ -84,7 +84,7 @@ interface(`ftp_check_exec',` ') corecmd_search_bin($1) - allow $1 ftpd_exec_t:file x_file_perms; + allow $1 ftpd_exec_t:file { getattr execute }; ') ######################################## diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if index 7e4e584..89fc44e 100644 --- a/policy/modules/services/postfix.if +++ b/policy/modules/services/postfix.if @@ -49,7 +49,7 @@ template(`postfix_domain_template',` can_exec(postfix_$1_t, postfix_$1_exec_t) - allow postfix_$1_t postfix_exec_t:file rx_file_perms; + allow postfix_$1_t postfix_exec_t:file { mmap_file_perms lock ioctl }; allow postfix_$1_t postfix_master_t:process sigchld; diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te index 6d46211..d947ce8 100644 --- a/policy/modules/services/postfix.te +++ b/policy/modules/services/postfix.te @@ -104,7 +104,7 @@ allow postfix_master_t postfix_etc_t:file rw_file_perms; can_exec(postfix_master_t,postfix_exec_t) -allow postfix_master_t postfix_map_exec_t:file rx_file_perms; +allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms ioctl lock }; allow postfix_master_t postfix_postdrop_exec_t:file getattr; diff --git a/policy/modules/services/spamassassin.if b/policy/modules/services/spamassassin.if index 06b14d9..81a8b2a 100644 --- a/policy/modules/services/spamassassin.if +++ b/policy/modules/services/spamassassin.if @@ -317,9 +317,6 @@ template(`spamassassin_per_role_template',` mta_read_config($1_spamassassin_t) sendmail_stub($1_spamassassin_t) ') - - # For perl libraries. - allow $1_spamassassin_t lib_t:file rx_file_perms; ') ######################################## diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te index b7654c3..5760427 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -222,9 +222,6 @@ libs_use_shared_libs(ssh_keygen_t) logging_send_syslog_msg(ssh_keygen_t) -allow ssh_keygen_t proc_t:dir r_dir_perms; -allow ssh_keygen_t proc_t:lnk_file read; - userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) optional_policy(` diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if index c8b8375..e572a3a 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -412,7 +412,7 @@ template(`xserver_per_role_template',` allow $2 $1_iceauth_home_t:file manage_file_perms; allow $2 $1_iceauth_home_t:file { relabelfrom relabelto }; - allow xdm_t $1_iceauth_home_t:file r_file_perms; + allow xdm_t $1_iceauth_home_t:file read_file_perms; fs_search_auto_mountpoints($1_iceauth_t) @@ -1174,7 +1174,7 @@ interface(`xserver_dontaudit_read_xdm_tmp_files',` ') dontaudit $1 xdm_tmp_t:dir search_dir_perms; - dontaudit $1 xdm_tmp_t:file r_file_perms; + dontaudit $1 xdm_tmp_t:file read_file_perms; ') ######################################## diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te index 3b80581..79b8b30 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -145,8 +145,8 @@ files_pid_filetrans(xdm_t,xdm_var_run_t,{ dir file fifo_file }) allow xdm_t xdm_xserver_t:process signal; allow xdm_t xdm_xserver_t:unix_stream_socket connectto; -allow xdm_t xdm_xserver_tmp_t:sock_file rw_file_perms; -allow xdm_t xdm_xserver_tmp_t:dir { setattr r_dir_perms }; +allow xdm_t xdm_xserver_tmp_t:sock_file rw_sock_file_perms; +allow xdm_t xdm_xserver_tmp_t:dir { setattr list_dir_perms }; # transition to the xdm xserver domtrans_pattern(xdm_t, xserver_exec_t, xdm_xserver_t) diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te index e9798d4..3111a62 100644 --- a/policy/modules/system/fstools.te +++ b/policy/modules/system/fstools.te @@ -29,8 +29,8 @@ files_type(swapfile_t) allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_resource sys_tty_config dac_override dac_read_search }; allow fsadm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execmem execheap }; allow fsadm_t self:fd use; -allow fsadm_t self:fifo_file rw_file_perms; -allow fsadm_t self:sock_file r_file_perms; +allow fsadm_t self:fifo_file rw_fifo_file_perms; +allow fsadm_t self:sock_file read_sock_file_perms; allow fsadm_t self:unix_dgram_socket create_socket_perms; allow fsadm_t self:unix_stream_socket create_stream_socket_perms; allow fsadm_t self:unix_dgram_socket sendto; diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te index a03600b..bb8d897 100644 --- a/policy/modules/system/locallogin.te +++ b/policy/modules/system/locallogin.te @@ -37,8 +37,8 @@ allow local_login_t self:capability { dac_override chown fowner fsetid kill setg allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow local_login_t self:process { setrlimit setexec }; allow local_login_t self:fd use; -allow local_login_t self:fifo_file rw_file_perms; -allow local_login_t self:sock_file r_file_perms; +allow local_login_t self:fifo_file rw_fifo_file_perms; +allow local_login_t self:sock_file read_sock_file_perms; allow local_login_t self:unix_dgram_socket create_socket_perms; allow local_login_t self:unix_stream_socket create_stream_socket_perms; allow local_login_t self:unix_dgram_socket sendto; diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te index d0b8d94..a2d363f 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -102,13 +102,12 @@ logging_send_syslog_msg(auditctl_t) allow auditd_t self:capability { audit_write audit_control fsetid sys_nice sys_resource }; dontaudit auditd_t self:capability sys_tty_config; allow auditd_t self:process { signal_perms setpgid setsched }; -allow auditd_t self:file { getattr read write }; allow auditd_t self:unix_dgram_socket create_socket_perms; allow auditd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv }; -allow auditd_t self:fifo_file rw_file_perms; +allow auditd_t self:fifo_file rw_fifo_file_perms; allow auditd_t auditd_etc_t:dir list_dir_perms; -allow auditd_t auditd_etc_t:file r_file_perms; +allow auditd_t auditd_etc_t:file read_file_perms; manage_files_pattern(auditd_t,auditd_log_t,auditd_log_t) manage_lnk_files_pattern(auditd_t,auditd_log_t,auditd_log_t) diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te index efd5532..9d195e1 100644 --- a/policy/modules/system/modutils.te +++ b/policy/modules/system/modutils.te @@ -49,7 +49,7 @@ allow insmod_t self:udp_socket create_socket_perms; allow insmod_t self:rawip_socket create_socket_perms; # Read module config and dependency information -allow insmod_t { modules_conf_t modules_dep_t }:file r_file_perms; +allow insmod_t { modules_conf_t modules_dep_t }:file read_file_perms; can_exec(insmod_t, insmod_exec_t) diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te index 94b2bbe..2b4bc5b 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -517,9 +517,9 @@ allow setfiles_t self:capability { dac_override dac_read_search fowner }; dontaudit setfiles_t self:capability sys_tty_config; allow setfiles_t self:fifo_file rw_file_perms; -allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir r_dir_perms; -allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms; -allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms; +allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir list_dir_perms; +allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file read_file_perms; +allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file { read_lnk_file_perms ioctl lock }; kernel_read_system_state(setfiles_t) kernel_relabelfrom_unlabeled_dirs(setfiles_t) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index ab74d5a..ee39d61 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -2667,7 +2667,7 @@ template(`userdom_dontaudit_read_user_tmp_files',` type $1_tmp_t; ') - dontaudit $2 $1_tmp_t:file r_file_perms; + dontaudit $2 $1_tmp_t:file read_file_perms; ') ######################################## @@ -3491,7 +3491,7 @@ template(`userdom_dontaudit_read_user_tmp_untrusted_content_files',` type $1_untrusted_content_tmp_t; ') - dontaudit $2 $1_untrusted_content_tmp_t:file r_file_perms; + dontaudit $2 $1_untrusted_content_tmp_t:file read_file_perms; ') ######################################## diff --git a/policy/support/file_patterns.spt b/policy/support/file_patterns.spt index 69c9366..54a9dac 100644 --- a/policy/support/file_patterns.spt +++ b/policy/support/file_patterns.spt @@ -529,7 +529,7 @@ define(`relabel_chr_files_pattern',` # pattern(domain,dirtype,newtype,class(es)) # define(`filetrans_add_pattern',` - allow $1 $2:dir ra_dir_perms; + allow $1 $2:dir { list_dir_perms add_entry_dir_perms }; type_transition $1 $2:$4 $3; ') diff --git a/policy/support/misc_macros.spt b/policy/support/misc_macros.spt index e6924e6..4ca5688 100644 --- a/policy/support/misc_macros.spt +++ b/policy/support/misc_macros.spt @@ -67,7 +67,7 @@ define(`gen_context',`$1`'ifdef(`enable_mls',`:$2')`'ifdef(`enable_mcs',`:s0`'if # # can_exec(domain,executable) # -define(`can_exec',`allow $1 $2:file { rx_file_perms execute_no_trans };') +define(`can_exec',`allow $1 $2:file { mmap_file_perms ioctl lock execute_no_trans };') ######################################## # diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt index 5d5321b..1e41c04 100644 --- a/policy/support/obj_perm_sets.spt +++ b/policy/support/obj_perm_sets.spt @@ -54,48 +54,42 @@ define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket un # # Permissions for getting file attributes. # -define(`stat_file_perms', `{ getattr }') +define(`stat_file_perms', `{ getattr } refpolicywarn(`$0 is deprecated please use getattr_file_perms instead.')') # # Permissions for executing files. # -define(`x_file_perms', `{ getattr execute }') +define(`x_file_perms', `{ getattr execute } refpolicywarn(`$0 is deprecated please use { getattr execute } instead.')') # # Permissions for reading files and their attributes. # -define(`r_file_perms', `{ read getattr lock ioctl }') +define(`r_file_perms', `{ read getattr lock ioctl } refpolicywarn(`$0 is deprecated please use read_file_perms instead.')') # # Permissions for reading and executing files. # -define(`rx_file_perms', `{ read getattr lock execute ioctl }') +define(`rx_file_perms', `{ read getattr lock execute ioctl } refpolicywarn(`$0 is deprecated please use { mmap_file_perms ioctl lock } instead.')') # # Permissions for reading and appending to files. # -define(`ra_file_perms', `{ ioctl read getattr lock append }') +define(`ra_file_perms', `{ ioctl read getattr lock append } refpolicywarn(`$0 is deprecated please use { read_file_perms append_file_perms } instead.')') # # Permissions for linking, unlinking and renaming files. # -define(`link_file_perms', `{ getattr link unlink rename }') +define(`link_file_perms', `{ getattr link unlink rename } refpolicywarn(`$0 is deprecated please use { getattr link unlink rename } instead.')') # # Permissions for creating lnk_files. # -define(`create_lnk_perms', `{ create read getattr setattr link unlink rename }') - -# -# Permissions for creating and using files. -# -# deprecated by new perm set below -#define(`create_file_perms', `{ create ioctl read getattr lock write setattr append link unlink rename }') +define(`create_lnk_perms', `{ create read getattr setattr link unlink rename } refpolicywarn(`$0 is deprecated please use manage_lnk_file_perms instead.')') # # Permissions for reading directories and their attributes. # -define(`r_dir_perms', `{ read getattr lock search ioctl }') +define(`r_dir_perms', `{ read getattr lock search ioctl } refpolicywarn(`$0 is deprecated please use list_dir_perms instead.')') # # Permissions for reading and writing directories and their attributes. @@ -105,16 +99,10 @@ define(`rw_dir_perms', `{ read getattr lock search ioctl add_name remove_name wr # # Permissions for reading and adding names to directories. # -define(`ra_dir_perms', `{ read getattr lock search ioctl add_name write }') +define(`ra_dir_perms', `{ read getattr lock search ioctl add_name write } refpolicywarn(`$0 is deprecated please use { list_dir_perms add_entry_dir_perms } instead.')') # -# Permissions for creating and using directories. -# -# deprecated by new perm set below -#define(`create_dir_perms', `{ create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }') - -# # Permissions to mount and unmount file systems. # define(`mount_fs_perms', `{ mount remount unmount getattr }')