diff --git a/doc/example.te b/doc/example.te index af61f6e4c0..776d0522d2 100644 --- a/doc/example.te +++ b/doc/example.te @@ -22,7 +22,7 @@ files_tmp_file(myapp_tmp_t) # Myapp local policy # -allow myapp_t myapp_log_t:file { read_file_perms append_file_perms }; +allow myapp_t myapp_log_t:file { append_file_perms read_file_perms }; allow myapp_t myapp_tmp_t:file manage_file_perms; files_tmp_filetrans(myapp_t,myapp_tmp_t,file) diff --git a/policy/modules/admin/amanda.if b/policy/modules/admin/amanda.if index 1de178801c..3c1becedc6 100644 --- a/policy/modules/admin/amanda.if +++ b/policy/modules/admin/amanda.if @@ -138,7 +138,7 @@ interface(`amanda_append_log_files',` ') logging_search_logs($1) - allow $1 amanda_log_t:file { read_file_perms append_file_perms }; + allow $1 amanda_log_t:file { append_file_perms read_file_perms }; ') ####################################### diff --git a/policy/modules/admin/amanda.te b/policy/modules/admin/amanda.te index 4f9cc64109..59b9edfb46 100644 --- a/policy/modules/admin/amanda.te +++ b/policy/modules/admin/amanda.te @@ -140,7 +140,7 @@ logging_send_syslog_msg(amanda_t) # allow amanda_recover_t self:capability { chown dac_override fowner fsetid kill setgid setuid }; -allow amanda_recover_t self:process { sigkill sigstop signal }; +allow amanda_recover_t self:process { sigkill signal sigstop }; allow amanda_recover_t self:fifo_file rw_fifo_file_perms; allow amanda_recover_t self:unix_stream_socket create_socket_perms; allow amanda_recover_t self:tcp_socket { accept listen }; diff --git a/policy/modules/admin/anaconda.te b/policy/modules/admin/anaconda.te index 683a2479b1..edeaa4b519 100644 --- a/policy/modules/admin/anaconda.te +++ b/policy/modules/admin/anaconda.te @@ -22,7 +22,7 @@ role system_r types anaconda_t; # allow anaconda_t self:process execmem; -allow anaconda_t self:passwd { rootok passwd chfn chsh }; +allow anaconda_t self:passwd { chfn chsh passwd rootok }; kernel_domtrans_to(anaconda_t, anaconda_exec_t) diff --git a/policy/modules/admin/apt.te b/policy/modules/admin/apt.te index 0852440063..4161da7537 100644 --- a/policy/modules/admin/apt.te +++ b/policy/modules/admin/apt.te @@ -40,7 +40,7 @@ logging_log_file(apt_var_log_t) # allow apt_t self:capability { chown dac_override fowner fsetid kill setgid setuid }; -allow apt_t self:process { signal setpgid fork }; +allow apt_t self:process { fork setpgid signal }; allow apt_t self:fd use; allow apt_t self:fifo_file rw_fifo_file_perms; allow apt_t self:unix_dgram_socket sendto; @@ -50,7 +50,7 @@ allow apt_t self:tcp_socket create_stream_socket_perms; allow apt_t self:shm create_shm_perms; allow apt_t self:sem create_sem_perms; allow apt_t self:msgq create_msgq_perms; -allow apt_t self:msg { send receive }; +allow apt_t self:msg { receive send }; allow apt_t self:netlink_route_socket r_netlink_socket_perms; allow apt_t apt_lock_t:dir manage_dir_perms; diff --git a/policy/modules/admin/blueman.te b/policy/modules/admin/blueman.te index d639296977..b4395d3297 100644 --- a/policy/modules/admin/blueman.te +++ b/policy/modules/admin/blueman.te @@ -21,7 +21,7 @@ files_type(blueman_var_lib_t) # allow blueman_t self:capability { net_admin sys_nice }; -allow blueman_t self:process { signal_perms setsched }; +allow blueman_t self:process { setsched signal_perms }; allow blueman_t self:fifo_file rw_fifo_file_perms; manage_dirs_pattern(blueman_t, blueman_var_lib_t, blueman_var_lib_t) diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te index 5a7e1cd4da..875c5df819 100644 --- a/policy/modules/admin/bootloader.te +++ b/policy/modules/admin/bootloader.te @@ -43,7 +43,7 @@ dev_node(bootloader_tmp_t) allow bootloader_t self:capability { chown dac_override dac_read_search fsetid mknod setgid sys_admin sys_rawio }; dontaudit bootloader_t self:capability { net_admin sys_resource }; -allow bootloader_t self:process { signal_perms execmem }; +allow bootloader_t self:process { execmem signal_perms }; allow bootloader_t self:fifo_file rw_fifo_file_perms; allow bootloader_t bootloader_etc_t:file read_file_perms; @@ -203,7 +203,7 @@ ifdef(`distro_redhat',` # for memlock allow bootloader_t self:capability ipc_lock; - allow bootloader_t boot_runtime_t:file { read_file_perms delete_file_perms }; + allow bootloader_t boot_runtime_t:file { delete_file_perms read_file_perms }; # new file system defaults to unlabeled, granting unlabeled access is still bad. kernel_manage_unlabeled_dirs(bootloader_t) diff --git a/policy/modules/admin/certwatch.te b/policy/modules/admin/certwatch.te index 754204c561..356b6cc0bc 100644 --- a/policy/modules/admin/certwatch.te +++ b/policy/modules/admin/certwatch.te @@ -19,7 +19,7 @@ role certwatch_roles types certwatch_t; # allow certwatch_t self:capability sys_nice; -allow certwatch_t self:process { setsched getsched }; +allow certwatch_t self:process { getsched setsched }; dev_read_urand(certwatch_t) diff --git a/policy/modules/admin/cloudinit.te b/policy/modules/admin/cloudinit.te index 94f7eabd23..12e02dbc9f 100644 --- a/policy/modules/admin/cloudinit.te +++ b/policy/modules/admin/cloudinit.te @@ -51,7 +51,7 @@ allow cloud_init_t self:fifo_file rw_fifo_file_perms; allow cloud_init_t self:unix_dgram_socket create_socket_perms; allow cloud_init_t self:passwd passwd; -allow cloud_init_t cloud_init_log_t:file { create_file_perms append_file_perms read setattr }; +allow cloud_init_t cloud_init_log_t:file { append_file_perms create_file_perms read setattr }; logging_log_filetrans(cloud_init_t, cloud_init_log_t, file) manage_files_pattern(cloud_init_t, cloud_init_runtime_t, cloud_init_runtime_t) diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te index 1989db82c9..4b7097921b 100644 --- a/policy/modules/admin/consoletype.te +++ b/policy/modules/admin/consoletype.te @@ -16,7 +16,7 @@ init_system_domain(consoletype_t, consoletype_exec_t) # allow consoletype_t self:capability { sys_admin sys_tty_config }; -allow consoletype_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; +allow consoletype_t self:process { dyntransition getattr getcap getpgid getrlimit getsched getsession noatsecure rlimitinh setcap setkeycreate setpgid setsched setsockcreate share siginh signal_perms transition }; allow consoletype_t self:fd use; allow consoletype_t self:fifo_file rw_fifo_file_perms; allow consoletype_t self:sock_file read_sock_file_perms; @@ -27,7 +27,7 @@ allow consoletype_t self:unix_stream_socket connectto; allow consoletype_t self:shm create_shm_perms; allow consoletype_t self:sem create_sem_perms; allow consoletype_t self:msgq create_msgq_perms; -allow consoletype_t self:msg { send receive }; +allow consoletype_t self:msg { receive send }; kernel_use_fds(consoletype_t) kernel_dontaudit_read_system_state(consoletype_t) diff --git a/policy/modules/admin/dphysswapfile.te b/policy/modules/admin/dphysswapfile.te index e86a3e7402..ff6de37b90 100644 --- a/policy/modules/admin/dphysswapfile.te +++ b/policy/modules/admin/dphysswapfile.te @@ -29,7 +29,7 @@ init_unit_file(dphysswapfile_unit_t) # sys_admin : swapon allow dphysswapfile_t self:capability sys_admin; allow dphysswapfile_t self:fifo_file rw_fifo_file_perms; -allow dphysswapfile_t self:unix_stream_socket { create connect }; +allow dphysswapfile_t self:unix_stream_socket { connect create }; allow dphysswapfile_t dphysswapfile_conf_t:file read_file_perms; diff --git a/policy/modules/admin/dpkg.te b/policy/modules/admin/dpkg.te index 67499a9226..35a74e8929 100644 --- a/policy/modules/admin/dpkg.te +++ b/policy/modules/admin/dpkg.te @@ -54,7 +54,7 @@ files_tmpfs_file(dpkg_script_tmpfs_t) # allow dpkg_t self:capability { chown dac_override fowner fsetid kill linux_immutable mknod setgid setuid sys_nice sys_resource sys_tty_config }; -allow dpkg_t self:process { setpgid fork getsched setfscreate }; +allow dpkg_t self:process { fork getsched setfscreate setpgid }; allow dpkg_t self:fd use; allow dpkg_t self:fifo_file rw_fifo_file_perms; allow dpkg_t self:unix_dgram_socket create_socket_perms; @@ -66,7 +66,7 @@ allow dpkg_t self:tcp_socket create_stream_socket_perms; allow dpkg_t self:shm create_shm_perms; allow dpkg_t self:sem create_sem_perms; allow dpkg_t self:msgq create_msgq_perms; -allow dpkg_t self:msg { send receive }; +allow dpkg_t self:msg { receive send }; allow dpkg_t dpkg_lock_t:file manage_file_perms; @@ -201,7 +201,7 @@ optional_policy(` # allow dpkg_script_t self:capability { audit_write chown dac_override dac_read_search fowner fsetid ipc_lock kill mknod net_admin setfcap setgid setuid sys_chroot sys_nice sys_ptrace }; -allow dpkg_script_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; +allow dpkg_script_t self:process { dyntransition getattr getcap getpgid getrlimit getsched getsession noatsecure rlimitinh setcap setfscreate setkeycreate setpgid setsched setsockcreate share siginh signal_perms transition }; allow dpkg_script_t self:fd use; allow dpkg_script_t self:fifo_file rw_fifo_file_perms; allow dpkg_script_t self:unix_dgram_socket create_socket_perms; @@ -211,7 +211,7 @@ allow dpkg_script_t self:unix_stream_socket connectto; allow dpkg_script_t self:shm create_shm_perms; allow dpkg_script_t self:sem create_sem_perms; allow dpkg_script_t self:msgq create_msgq_perms; -allow dpkg_script_t self:msg { send receive }; +allow dpkg_script_t self:msg { receive send }; allow dpkg_script_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; allow dpkg_script_t self:udp_socket create_socket_perms; diff --git a/policy/modules/admin/firstboot.te b/policy/modules/admin/firstboot.te index fa28fd4e4b..5e66f0b657 100644 --- a/policy/modules/admin/firstboot.te +++ b/policy/modules/admin/firstboot.te @@ -1,7 +1,7 @@ policy_module(firstboot) gen_require(` - class passwd { passwd chfn chsh rootok }; + class passwd { chfn chsh passwd rootok }; ') ######################################## @@ -33,7 +33,7 @@ allow firstboot_t self:capability { dac_override setgid }; allow firstboot_t self:process setfscreate; allow firstboot_t self:fifo_file rw_fifo_file_perms; allow firstboot_t self:tcp_socket { accept listen }; -allow firstboot_t self:passwd { rootok passwd chfn chsh }; +allow firstboot_t self:passwd { chfn chsh passwd rootok }; allow firstboot_t firstboot_etc_t:file read_file_perms; diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te index bcac91b48e..2879417767 100644 --- a/policy/modules/admin/logrotate.te +++ b/policy/modules/admin/logrotate.te @@ -36,11 +36,11 @@ init_unit_file(logrotate_unit_t) # # sys_ptrace is for systemctl -allow logrotate_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid sys_ptrace sys_nice sys_resource }; +allow logrotate_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid sys_nice sys_ptrace sys_resource }; dontaudit logrotate_t self:cap_userns sys_ptrace; # systemctl asks for net_admin dontaudit logrotate_t self:capability net_admin; -allow logrotate_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; +allow logrotate_t self:process { dyntransition getattr getcap getpgid getrlimit getsched getsession noatsecure rlimitinh setcap setfscreate setkeycreate setpgid setrlimit setsched setsockcreate share siginh signal_perms transition }; allow logrotate_t self:fd use; allow logrotate_t self:key manage_key_perms; allow logrotate_t self:fifo_file rw_fifo_file_perms; @@ -49,7 +49,7 @@ allow logrotate_t self:unix_stream_socket { accept connectto listen }; allow logrotate_t self:shm create_shm_perms; allow logrotate_t self:sem create_sem_perms; allow logrotate_t self:msgq create_msgq_perms; -allow logrotate_t self:msg { send receive }; +allow logrotate_t self:msg { receive send }; allow logrotate_t logrotate_lock_t:file manage_file_perms; files_lock_filetrans(logrotate_t, logrotate_lock_t, file) diff --git a/policy/modules/admin/logwatch.te b/policy/modules/admin/logwatch.te index ae02e39b08..c37877e224 100644 --- a/policy/modules/admin/logwatch.te +++ b/policy/modules/admin/logwatch.te @@ -38,7 +38,7 @@ role system_r types logwatch_mail_t; # allow logwatch_t self:capability { dac_override dac_read_search setgid }; -allow logwatch_t self:process { signal getsched }; +allow logwatch_t self:process { getsched signal }; allow logwatch_t self:fifo_file rw_fifo_file_perms; allow logwatch_t self:unix_stream_socket { accept listen }; diff --git a/policy/modules/admin/mcelog.te b/policy/modules/admin/mcelog.te index 779c84a355..92b1584b85 100644 --- a/policy/modules/admin/mcelog.te +++ b/policy/modules/admin/mcelog.te @@ -112,7 +112,7 @@ tunable_policy(`mcelog_foreground',` ') tunable_policy(`mcelog_server',` - allow mcelog_t self:unix_stream_socket { listen accept }; + allow mcelog_t self:unix_stream_socket { accept listen }; ') tunable_policy(`mcelog_syslog',` diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te index 815e4c120d..f642e59b35 100644 --- a/policy/modules/admin/netutils.te +++ b/policy/modules/admin/netutils.te @@ -112,8 +112,8 @@ allow ping_t self:capability { net_raw setuid }; allow ping_t self:process { getcap setcap }; dontaudit ping_t self:capability sys_tty_config; allow ping_t self:tcp_socket create_socket_perms; -allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt getattr }; -allow ping_t self:packet_socket { create ioctl read write bind getopt setopt }; +allow ping_t self:rawip_socket { bind create getattr getopt ioctl read setopt write }; +allow ping_t self:packet_socket { bind create getopt ioctl read setopt write }; allow ping_t self:netlink_route_socket create_netlink_socket_perms; allow ping_t self:icmp_socket create_socket_perms; @@ -163,7 +163,7 @@ allow traceroute_t self:fifo_file rw_inherited_fifo_file_perms; allow traceroute_t self:process signal; allow traceroute_t self:netlink_generic_socket create_socket_perms; allow traceroute_t self:rawip_socket create_socket_perms; -allow traceroute_t self:packet_socket { map create_socket_perms }; +allow traceroute_t self:packet_socket { create_socket_perms map }; allow traceroute_t self:udp_socket create_socket_perms; can_exec(traceroute_t, traceroute_exec_t) diff --git a/policy/modules/admin/portage.if b/policy/modules/admin/portage.if index 62a11f15ae..4b10a4e778 100644 --- a/policy/modules/admin/portage.if +++ b/policy/modules/admin/portage.if @@ -71,13 +71,13 @@ interface(`portage_compile_domain',` allow $1 self:capability { chown dac_override fowner fsetid mknod net_raw setgid setuid }; dontaudit $1 self:capability sys_chroot; - allow $1 self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh setrlimit rlimitinh dyntransition execmem setkeycreate setsockcreate getrlimit }; + allow $1 self:process { dyntransition execmem getattr getcap getpgid getrlimit getsched getsession noatsecure rlimitinh setcap setfscreate setkeycreate setpgid setrlimit setsched setsockcreate share siginh signal_perms transition }; allow $1 self:fd use; allow $1 self:fifo_file rw_fifo_file_perms; allow $1 self:shm create_shm_perms; allow $1 self:sem create_sem_perms; allow $1 self:msgq create_msgq_perms; - allow $1 self:msg { send receive }; + allow $1 self:msg { receive send }; allow $1 self:unix_dgram_socket create_socket_perms; allow $1 self:unix_stream_socket create_stream_socket_perms; allow $1 self:unix_dgram_socket sendto; @@ -96,7 +96,7 @@ interface(`portage_compile_domain',` # write compile logs allow $1 portage_log_t:dir setattr_dir_perms; - allow $1 portage_log_t:file { write_file_perms setattr_file_perms }; + allow $1 portage_log_t:file { setattr_file_perms write_file_perms }; # Support live ebuilds (-9999) manage_dirs_pattern($1, portage_srcrepo_t, portage_srcrepo_t) diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te index b8a820fb39..cea20fb994 100644 --- a/policy/modules/admin/portage.te +++ b/policy/modules/admin/portage.te @@ -353,7 +353,7 @@ dontaudit portage_sandbox_t self:netlink_route_socket create_netlink_socket_perm dontaudit portage_sandbox_t portage_cache_t:dir { setattr_dir_perms }; dontaudit portage_sandbox_t portage_cache_t:file { setattr_file_perms write }; -allow portage_sandbox_t portage_log_t:file { create_file_perms delete_file_perms setattr_file_perms append_file_perms }; +allow portage_sandbox_t portage_log_t:file { append_file_perms create_file_perms delete_file_perms setattr_file_perms }; logging_log_filetrans(portage_sandbox_t, portage_log_t, file) allow portage_sandbox_t portage_tmp_t:dir watch; diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te index 6acb35de46..ecd536d4df 100644 --- a/policy/modules/admin/prelink.te +++ b/policy/modules/admin/prelink.te @@ -53,10 +53,10 @@ append_files_pattern(prelink_t, prelink_log_t, prelink_log_t) read_lnk_files_pattern(prelink_t, prelink_log_t, prelink_log_t) logging_log_filetrans(prelink_t, prelink_log_t, file) -allow prelink_t prelink_tmp_t:file { manage_file_perms mmap_exec_file_perms relabel_file_perms execmod }; +allow prelink_t prelink_tmp_t:file { execmod manage_file_perms mmap_exec_file_perms relabel_file_perms }; files_tmp_filetrans(prelink_t, prelink_tmp_t, file) -allow prelink_t prelink_tmpfs_t:file { manage_file_perms mmap_exec_file_perms relabel_file_perms execmod }; +allow prelink_t prelink_tmpfs_t:file { execmod manage_file_perms mmap_exec_file_perms relabel_file_perms }; fs_tmpfs_filetrans(prelink_t, prelink_tmpfs_t, file) manage_dirs_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t) @@ -156,7 +156,7 @@ optional_policy(` optional_policy(` allow prelink_cron_system_t self:capability setuid; - allow prelink_cron_system_t self:process { setsched setfscreate signal }; + allow prelink_cron_system_t self:process { setfscreate setsched signal }; allow prelink_cron_system_t self:fifo_file rw_fifo_file_perms; allow prelink_cron_system_t self:unix_dgram_socket create_socket_perms; diff --git a/policy/modules/admin/puppet.te b/policy/modules/admin/puppet.te index c7e574ce15..9986701016 100644 --- a/policy/modules/admin/puppet.te +++ b/policy/modules/admin/puppet.te @@ -63,7 +63,7 @@ files_tmp_file(puppetmaster_tmp_t) # allow puppet_t self:capability { chown dac_override fowner fsetid setgid setuid sys_admin sys_nice sys_tty_config }; -allow puppet_t self:process { signal signull getsched setsched }; +allow puppet_t self:process { getsched setsched signal signull }; allow puppet_t self:fifo_file rw_fifo_file_perms; allow puppet_t self:netlink_route_socket create_netlink_socket_perms; allow puppet_t self:tcp_socket { accept listen }; @@ -257,7 +257,7 @@ optional_policy(` # allow puppetmaster_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid sys_tty_config }; -allow puppetmaster_t self:process { signal_perms getsched setsched }; +allow puppetmaster_t self:process { getsched setsched signal_perms }; allow puppetmaster_t self:fifo_file rw_fifo_file_perms; allow puppetmaster_t self:netlink_route_socket nlmsg_write; allow puppetmaster_t self:socket create; @@ -277,7 +277,7 @@ logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir }) allow puppetmaster_t puppet_var_lib_t:dir { manage_dir_perms relabel_dir_perms }; allow puppetmaster_t puppet_var_lib_t:file { manage_file_perms relabel_file_perms }; -allow puppetmaster_t puppet_runtime_t:dir { create_dir_perms setattr_dir_perms relabel_dir_perms }; +allow puppetmaster_t puppet_runtime_t:dir { create_dir_perms relabel_dir_perms setattr_dir_perms }; allow puppetmaster_t puppet_runtime_t:file manage_file_perms; files_runtime_filetrans(puppetmaster_t, puppet_runtime_t, { file dir }) diff --git a/policy/modules/admin/quota.te b/policy/modules/admin/quota.te index b3bceaef9b..b5a3e24828 100644 --- a/policy/modules/admin/quota.te +++ b/policy/modules/admin/quota.te @@ -33,7 +33,7 @@ files_runtime_file(quota_nld_runtime_t) # Local policy # -allow quota_t self:capability { dac_override sys_admin linux_immutable }; +allow quota_t self:capability { dac_override linux_immutable sys_admin}; dontaudit quota_t self:capability sys_tty_config; allow quota_t self:process signal_perms; diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te index 1a2210bc8c..43febed3fa 100644 --- a/policy/modules/admin/rpm.te +++ b/policy/modules/admin/rpm.te @@ -82,8 +82,8 @@ files_tmpfs_file(rpm_script_tmpfs_t) # rpm Local policy # -allow rpm_t self:capability { chown dac_read_search dac_override fowner fsetid ipc_lock mknod setfcap setgid setuid sys_chroot sys_nice sys_tty_config }; -allow rpm_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh dyntransition execmem setkeycreate setsockcreate getrlimit }; +allow rpm_t self:capability { chown dac_override dac_read_search fowner fsetid ipc_lock mknod setfcap setgid setuid sys_chroot sys_nice sys_tty_config }; +allow rpm_t self:process { dyntransition execmem getattr getcap getpgid getrlimit getsched getsession noatsecure rlimitinh setcap setexec setfscreate setkeycreate setpgid setrlimit setsched setsockcreate share siginh signal_perms transition }; allow rpm_t self:fd use; allow rpm_t self:fifo_file rw_fifo_file_perms; allow rpm_t self:unix_dgram_socket sendto; @@ -93,7 +93,7 @@ allow rpm_t self:tcp_socket { accept listen }; allow rpm_t self:shm create_shm_perms; allow rpm_t self:sem create_sem_perms; allow rpm_t self:msgq create_msgq_perms; -allow rpm_t self:msg { send receive }; +allow rpm_t self:msg { receive send }; allow rpm_t self:file rw_file_perms; allow rpm_t self:netlink_kobject_uevent_socket create_socket_perms; @@ -258,7 +258,7 @@ optional_policy(` # allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid ipc_lock kill mknod net_admin setgid setuid sys_admin sys_chroot sys_nice sys_rawio }; -allow rpm_script_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition execmem execstack setkeycreate setsockcreate getrlimit }; +allow rpm_script_t self:process { dyntransition execmem execstack getattr getcap getpgid getrlimit getsched getsession noatsecure rlimitinh setcap setkeycreate setpgid setsched setsockcreate share siginh signal_perms transition }; allow rpm_script_t self:fd use; allow rpm_script_t self:fifo_file rw_fifo_file_perms; allow rpm_script_t self:unix_dgram_socket sendto; @@ -266,7 +266,7 @@ allow rpm_script_t self:unix_stream_socket { accept connectto listen }; allow rpm_script_t self:shm create_shm_perms; allow rpm_script_t self:sem create_sem_perms; allow rpm_script_t self:msgq create_msgq_perms; -allow rpm_script_t self:msg { send receive }; +allow rpm_script_t self:msg { receive send }; allow rpm_script_t self:netlink_kobject_uevent_socket create_socket_perms; allow rpm_script_t rpm_t:netlink_route_socket { read write }; diff --git a/policy/modules/admin/samhain.te b/policy/modules/admin/samhain.te index bef800f754..40dfd44c0e 100644 --- a/policy/modules/admin/samhain.te +++ b/policy/modules/admin/samhain.te @@ -46,7 +46,7 @@ ifdef(`enable_mls',` allow samhain_domain self:capability { dac_override dac_read_search fowner ipc_lock }; dontaudit samhain_domain self:capability { sys_ptrace sys_resource }; -allow samhain_domain self:process { setsched setrlimit signull }; +allow samhain_domain self:process { setrlimit setsched signull }; allow samhain_domain self:fd use; allow samhain_domain self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/admin/sosreport.te b/policy/modules/admin/sosreport.te index fa3168a6ec..322118a048 100644 --- a/policy/modules/admin/sosreport.te +++ b/policy/modules/admin/sosreport.te @@ -33,7 +33,7 @@ optional_policy(` allow sosreport_t self:capability { dac_override kill net_admin net_raw setuid sys_admin sys_nice }; dontaudit sosreport_t self:capability sys_ptrace; -allow sosreport_t self:process { setsched setpgid signal_perms }; +allow sosreport_t self:process { setpgid setsched signal_perms }; allow sosreport_t self:fifo_file rw_fifo_file_perms; allow sosreport_t self:tcp_socket { accept listen }; allow sosreport_t self:unix_stream_socket { accept listen }; diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if index dce1a0ea9b..80a4d11e5f 100644 --- a/policy/modules/admin/su.if +++ b/policy/modules/admin/su.if @@ -45,9 +45,9 @@ template(`su_restricted_domain_template', ` allow $1_su_t self:capability { audit_control audit_write chown dac_override fowner net_bind_service setgid setuid sys_nice sys_resource }; dontaudit $1_su_t self:capability sys_tty_config; allow $1_su_t self:key { search write }; - allow $1_su_t self:process { setexec setsched setrlimit signal }; + allow $1_su_t self:process { setexec setrlimit setsched signal }; allow $1_su_t self:fifo_file rw_fifo_file_perms; - allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms }; + allow $1_su_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; allow $1_su_t self:unix_stream_socket create_stream_socket_perms; # Transition from the user domain to this domain. @@ -159,9 +159,9 @@ template(`su_role_template',` allow $1_su_t self:capability { audit_control audit_write chown dac_override fowner net_bind_service setgid setuid sys_nice sys_resource }; dontaudit $1_su_t self:capability { net_admin sys_tty_config }; - allow $1_su_t self:process { setexec setsched setrlimit signal }; + allow $1_su_t self:process { setexec setrlimit setsched signal }; allow $1_su_t self:fifo_file rw_fifo_file_perms; - allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms }; + allow $1_su_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; allow $1_su_t self:key { search write }; # By default, revert to the calling domain when a shell is executed. diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if index d4d1c12fef..7433dfc333 100644 --- a/policy/modules/admin/sudo.if +++ b/policy/modules/admin/sudo.if @@ -58,14 +58,14 @@ template(`sudo_role_template',` # Use capabilities. allow $1_sudo_t self:capability { chown dac_override fowner kill setgid setuid sys_nice sys_resource }; - allow $1_sudo_t self:process { signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr getrlimit rlimitinh siginh transition setsockcreate dyntransition noatsecure setkeycreate }; + allow $1_sudo_t self:process { dyntransition getattr getcap getpgid getrlimit getsched getsession noatsecure rlimitinh setcap setkeycreate setpgid setsched setsockcreate share siginh signal_perms transition }; allow $1_sudo_t self:process { setexec setrlimit }; allow $1_sudo_t self:fd use; allow $1_sudo_t self:fifo_file rw_fifo_file_perms; allow $1_sudo_t self:shm create_shm_perms; allow $1_sudo_t self:sem create_sem_perms; allow $1_sudo_t self:msgq create_msgq_perms; - allow $1_sudo_t self:msg { send receive }; + allow $1_sudo_t self:msg { receive send }; allow $1_sudo_t self:netlink_selinux_socket create_socket_perms; allow $1_sudo_t self:unix_dgram_socket create_socket_perms; allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms; diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te index daeaa090e1..10c40aad0b 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -70,14 +70,14 @@ role useradd_roles types useradd_t; # allow chfn_t self:capability { chown dac_override fsetid setgid setuid sys_resource }; -allow chfn_t self:process { transition sigkill sigstop signull signal getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; +allow chfn_t self:process { dyntransition getattr getcap getpgid getrlimit getsched getsession noatsecure rlimitinh setcap setfscreate setkeycreate setpgid setrlimit setsched setsockcreate share siginh sigkill signal signull sigstop transition }; allow chfn_t self:fd use; allow chfn_t self:fifo_file rw_fifo_file_perms; allow chfn_t self:sock_file read_sock_file_perms; allow chfn_t self:shm create_shm_perms; allow chfn_t self:sem create_sem_perms; allow chfn_t self:msgq create_msgq_perms; -allow chfn_t self:msg { send receive }; +allow chfn_t self:msg { receive send }; allow chfn_t self:unix_dgram_socket create_socket_perms; allow chfn_t self:unix_stream_socket create_stream_socket_perms; allow chfn_t self:unix_dgram_socket sendto; @@ -190,13 +190,13 @@ optional_policy(` allow groupadd_t self:capability { audit_write chown dac_override fsetid kill setuid sys_resource }; dontaudit groupadd_t self:capability { fsetid net_admin sys_tty_config }; -allow groupadd_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; +allow groupadd_t self:process { dyntransition getattr getcap getpgid getrlimit getsched getsession noatsecure rlimitinh setcap setfscreate setkeycreate setpgid setrlimit setsched setsockcreate share siginh signal_perms transition }; allow groupadd_t self:fd use; allow groupadd_t self:fifo_file rw_fifo_file_perms; allow groupadd_t self:shm create_shm_perms; allow groupadd_t self:sem create_sem_perms; allow groupadd_t self:msgq create_msgq_perms; -allow groupadd_t self:msg { send receive }; +allow groupadd_t self:msg { receive send }; allow groupadd_t self:unix_dgram_socket create_socket_perms; allow groupadd_t self:unix_stream_socket create_stream_socket_perms; allow groupadd_t self:unix_dgram_socket sendto; @@ -305,7 +305,7 @@ optional_policy(` allow passwd_t self:capability { chown dac_override fsetid setgid setuid sys_nice sys_resource }; dontaudit passwd_t self:capability sys_tty_config; -allow passwd_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; +allow passwd_t self:process { dyntransition getattr getcap getpgid getrlimit getsched getsession noatsecure rlimitinh setcap setfscreate setkeycreate setpgid setrlimit setsched setsockcreate share siginh signal_perms transition }; allow passwd_t self:fd use; allow passwd_t self:fifo_file rw_fifo_file_perms; allow passwd_t self:sock_file read_sock_file_perms; @@ -316,7 +316,7 @@ allow passwd_t self:unix_stream_socket connectto; allow passwd_t self:shm create_shm_perms; allow passwd_t self:sem create_sem_perms; allow passwd_t self:msgq create_msgq_perms; -allow passwd_t self:msg { send receive }; +allow passwd_t self:msg { receive send }; allow passwd_t crack_db_t:dir list_dir_perms; read_lnk_files_pattern(passwd_t, crack_db_t, crack_db_t) @@ -396,7 +396,7 @@ optional_policy(` # allow sysadm_passwd_t self:capability { chown dac_override fsetid setgid setuid sys_resource }; -allow sysadm_passwd_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; +allow sysadm_passwd_t self:process { dyntransition getattr getcap getpgid getrlimit getsched getsession noatsecure rlimitinh setcap setfscreate setkeycreate setpgid setrlimit setsched setsockcreate share siginh signal_perms transition }; allow sysadm_passwd_t self:fd use; allow sysadm_passwd_t self:fifo_file rw_fifo_file_perms; allow sysadm_passwd_t self:sock_file read_sock_file_perms; @@ -407,7 +407,7 @@ allow sysadm_passwd_t self:unix_stream_socket connectto; allow sysadm_passwd_t self:shm create_shm_perms; allow sysadm_passwd_t self:sem create_sem_perms; allow sysadm_passwd_t self:msgq create_msgq_perms; -allow sysadm_passwd_t self:msg { send receive }; +allow sysadm_passwd_t self:msg { receive send }; # allow vipw to create temporary files under /var/tmp/vi.recover manage_dirs_pattern(sysadm_passwd_t, sysadm_passwd_tmp_t, sysadm_passwd_tmp_t) @@ -481,13 +481,13 @@ optional_policy(` allow useradd_t self:capability { chown dac_override fowner fsetid kill setuid sys_resource }; dontaudit useradd_t self:capability { net_admin sys_ptrace sys_tty_config }; dontaudit useradd_t self:cap_userns sys_ptrace; -allow useradd_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; +allow useradd_t self:process { dyntransition getattr getcap getpgid getrlimit getsched getsession noatsecure rlimitinh setcap setfscreate setkeycreate setpgid setsched setsockcreate share siginh signal_perms transition }; allow useradd_t self:fd use; allow useradd_t self:fifo_file rw_fifo_file_perms; allow useradd_t self:shm create_shm_perms; allow useradd_t self:sem create_sem_perms; allow useradd_t self:msgq create_msgq_perms; -allow useradd_t self:msg { send receive }; +allow useradd_t self:msg { receive send }; allow useradd_t self:unix_dgram_socket create_socket_perms; allow useradd_t self:unix_stream_socket create_stream_socket_perms; allow useradd_t self:unix_dgram_socket sendto; diff --git a/policy/modules/apps/calamaris.te b/policy/modules/apps/calamaris.te index bdb6e438ed..83ba7acaae 100644 --- a/policy/modules/apps/calamaris.te +++ b/policy/modules/apps/calamaris.te @@ -24,7 +24,7 @@ files_type(calamaris_www_t) # allow calamaris_t self:capability dac_override; -allow calamaris_t self:process { signal_perms setsched }; +allow calamaris_t self:process { setsched signal_perms }; allow calamaris_t self:fifo_file rw_fifo_file_perms; allow calamaris_t self:unix_stream_socket { accept listen }; allow calamaris_t self:tcp_socket { accept listen }; diff --git a/policy/modules/apps/chromium.if b/policy/modules/apps/chromium.if index 657953c0a4..e087c8ac07 100644 --- a/policy/modules/apps/chromium.if +++ b/policy/modules/apps/chromium.if @@ -51,7 +51,7 @@ template(`chromium_role',` allow $3 chromium_renderer_t:process signal_perms; allow $3 chromium_sandbox_t:process signal_perms; allow $3 chromium_naclhelper_t:process signal_perms; - allow chromium_t $3:process { signull signal }; + allow chromium_t $3:process { signal signull }; allow $3 chromium_t:unix_stream_socket connectto; diff --git a/policy/modules/apps/chromium.te b/policy/modules/apps/chromium.te index 9119ef184f..94e53816c1 100644 --- a/policy/modules/apps/chromium.te +++ b/policy/modules/apps/chromium.te @@ -90,8 +90,8 @@ xdg_cache_content(chromium_xdg_cache_t) # # execmem for load in plugins -allow chromium_t self:process { execmem getsched getcap setcap setrlimit setsched sigkill signal signull }; -allow chromium_t self:dir { write add_name }; +allow chromium_t self:process { execmem getcap getsched setcap setrlimit setsched sigkill signal signull }; +allow chromium_t self:dir { add_name write }; allow chromium_t self:file create; allow chromium_t self:fifo_file rw_fifo_file_perms; allow chromium_t self:sem create_sem_perms; @@ -219,7 +219,7 @@ xserver_manage_mesa_shader_cache(chromium_t) tunable_policy(`chromium_bind_tcp_unreserved_ports',` corenet_tcp_bind_generic_node(chromium_t) corenet_tcp_bind_all_unreserved_ports(chromium_t) - allow chromium_t self:tcp_socket { listen accept }; + allow chromium_t self:tcp_socket { accept listen }; ') tunable_policy(`chromium_dri', ` diff --git a/policy/modules/apps/evolution.if b/policy/modules/apps/evolution.if index 47de66a070..51da5fceea 100644 --- a/policy/modules/apps/evolution.if +++ b/policy/modules/apps/evolution.if @@ -54,9 +54,9 @@ template(`evolution_role',` allow evolution_t $3:file read_file_perms; allow evolution_t $3:lnk_file read_lnk_file_perms; - allow $2 evolution_home_t:dir { relabel_dir_perms manage_dir_perms }; - allow $2 evolution_home_t:file { relabel_file_perms manage_file_perms }; - allow $2 evolution_home_t:lnk_file { relabel_lnk_file_perms manage_lnk_file_perms }; + allow $2 evolution_home_t:dir { manage_dir_perms relabel_dir_perms }; + allow $2 evolution_home_t:file { manage_file_perms relabel_file_perms }; + allow $2 evolution_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; userdom_user_home_dir_filetrans($2, evolution_home_t, dir, ".camel_certs") userdom_user_home_dir_filetrans($2, evolution_home_t, dir, ".evolution") diff --git a/policy/modules/apps/evolution.te b/policy/modules/apps/evolution.te index 466a48ef1d..678e012dbd 100644 --- a/policy/modules/apps/evolution.te +++ b/policy/modules/apps/evolution.te @@ -281,7 +281,7 @@ optional_policy(` # Alarm local policy # -allow evolution_alarm_t self:process { signal getsched }; +allow evolution_alarm_t self:process { getsched signal }; allow evolution_alarm_t self:fifo_file rw_fifo_file_perms; allow evolution_alarm_t evolution_alarm_tmpfs_t:dir rw_dir_perms; diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if index e2f3c259ca..33bc699c18 100644 --- a/policy/modules/apps/gnome.if +++ b/policy/modules/apps/gnome.if @@ -79,8 +79,8 @@ template(`gnome_role_template',` domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t) - allow $2 { gnome_home_t gnome_keyring_home_t gnome_keyring_tmp_t }:dir { relabel_dir_perms manage_dir_perms }; - allow $2 { gnome_home_t gnome_keyring_home_t }:file { relabel_file_perms manage_file_perms }; + allow $2 { gnome_home_t gnome_keyring_home_t gnome_keyring_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; + allow $2 { gnome_home_t gnome_keyring_home_t }:file { manage_file_perms relabel_file_perms }; userdom_user_home_dir_filetrans($2, gnome_home_t, dir, ".gnome") userdom_user_home_dir_filetrans($2, gnome_home_t, dir, ".gnome2") @@ -88,7 +88,7 @@ template(`gnome_role_template',` gnome_home_filetrans($2, gnome_keyring_home_t, dir, "keyrings") - allow $2 gnome_keyring_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms }; + allow $2 gnome_keyring_tmp_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; ps_process_pattern($3, $1_gkeyringd_t) allow $3 $1_gkeyringd_t:process { ptrace signal_perms }; @@ -296,7 +296,7 @@ interface(`gnome_read_generic_home_content',` userdom_search_user_home_dirs($1) allow $1 gnome_home_t:dir list_dir_perms; - allow $1 gnome_home_t:file { read_file_perms map }; + allow $1 gnome_home_t:file { map read_file_perms }; allow $1 gnome_home_t:fifo_file read_fifo_file_perms; allow $1 gnome_home_t:lnk_file read_lnk_file_perms; allow $1 gnome_home_t:sock_file read_sock_file_perms; diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te index 2ae7ab12e9..df493f1663 100644 --- a/policy/modules/apps/gnome.te +++ b/policy/modules/apps/gnome.te @@ -145,7 +145,7 @@ optional_policy(` allow gkeyringd_domain self:capability ipc_lock; allow gkeyringd_domain self:process { getcap setcap }; -allow gkeyringd_domain self:unix_stream_socket { connectto accept listen }; +allow gkeyringd_domain self:unix_stream_socket { accept connectto listen }; allow gkeyringd_domain gnome_home_t:dir create_dir_perms; gnome_home_filetrans_gnome_home(gkeyringd_domain, dir, ".gnome2") diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te index 73014eda74..b3a0778361 100644 --- a/policy/modules/apps/gpg.te +++ b/policy/modules/apps/gpg.te @@ -79,7 +79,7 @@ optional_policy(` # allow gpg_t self:capability { ipc_lock setuid }; -allow gpg_t self:process { signal signull setrlimit getcap setcap getsched setsched setpgid }; +allow gpg_t self:process { getcap getsched setcap setpgid setrlimit setsched signal signull }; dontaudit gpg_t self:netlink_audit_socket r_netlink_socket_perms; allow gpg_t self:fifo_file rw_fifo_file_perms; allow gpg_t self:tcp_socket { accept listen }; @@ -222,7 +222,7 @@ tunable_policy(`use_samba_home_dirs',` # allow gpg_agent_t self:process { setrlimit signal_perms }; -allow gpg_agent_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow gpg_agent_t self:unix_stream_socket { connectto create_stream_socket_perms }; allow gpg_agent_t self:fifo_file rw_fifo_file_perms; manage_dirs_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) diff --git a/policy/modules/apps/irc.te b/policy/modules/apps/irc.te index 25f44c36a7..23739eadb2 100644 --- a/policy/modules/apps/irc.te +++ b/policy/modules/apps/irc.te @@ -38,7 +38,7 @@ userdom_user_tmp_file(irc_tmp_t) # Local policy # -allow irc_t self:process { getsched signal sigkill }; +allow irc_t self:process { getsched sigkill signal }; allow irc_t self:fifo_file rw_fifo_file_perms; allow irc_t self:unix_dgram_socket { create_socket_perms sendto }; allow irc_t self:unix_stream_socket { accept listen }; diff --git a/policy/modules/apps/java.if b/policy/modules/apps/java.if index 0abfdfb253..df23e8a01f 100644 --- a/policy/modules/apps/java.if +++ b/policy/modules/apps/java.if @@ -47,7 +47,7 @@ template(`java_role',` domtrans_pattern($3, java_exec_t, java_t) - allow $3 java_t:process { noatsecure siginh rlimitinh ptrace signal_perms }; + allow $3 java_t:process { noatsecure ptrace rlimitinh siginh signal_perms }; ps_process_pattern($3, java_t) allow $2 java_tmp_t:dir { manage_dir_perms relabel_dir_perms }; @@ -122,7 +122,7 @@ template(`java_role_template',` domtrans_pattern($3, java_exec_t, $1_java_t) - allow $3 $1_java_t:process { ptrace noatsecure siginh rlimitinh signal_perms }; + allow $3 $1_java_t:process { noatsecure ptrace rlimitinh siginh signal_perms }; ps_process_pattern($3, $1_java_t) allow $3 { java_home_t java_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; diff --git a/policy/modules/apps/java.te b/policy/modules/apps/java.te index c8811f5bc6..ca73478b6a 100644 --- a/policy/modules/apps/java.te +++ b/policy/modules/apps/java.te @@ -47,7 +47,7 @@ role unconfined_java_roles types unconfined_java_t; # Common local policy # -allow java_domain self:process { signal_perms getsched setsched }; +allow java_domain self:process { getsched setsched signal_perms }; allow java_domain self:fifo_file rw_fifo_file_perms; manage_dirs_pattern(java_domain, java_home_t, java_home_t) @@ -146,7 +146,7 @@ optional_policy(` # optional_policy(` - allow unconfined_java_t self:process { execstack execmem execheap }; + allow unconfined_java_t self:process { execheap execmem execstack }; files_execmod_all_files(unconfined_java_t) diff --git a/policy/modules/apps/mono.if b/policy/modules/apps/mono.if index ef116c3911..1c60fceafd 100644 --- a/policy/modules/apps/mono.if +++ b/policy/modules/apps/mono.if @@ -58,7 +58,7 @@ template(`mono_role_template',` domtrans_pattern($3, mono_exec_t, $1_mono_t) - allow $3 $1_mono_t:process { ptrace noatsecure signal_perms }; + allow $3 $1_mono_t:process { noatsecure ptrace signal_perms }; ps_process_pattern($3, $1_mono_t) corecmd_bin_domtrans($1_mono_t, $2) diff --git a/policy/modules/apps/mono.te b/policy/modules/apps/mono.te index fed2c435c2..66576062c4 100644 --- a/policy/modules/apps/mono.te +++ b/policy/modules/apps/mono.te @@ -25,7 +25,7 @@ optional_policy(` # Common local policy # -allow mono_domain self:process { signal getsched execheap execmem execstack }; +allow mono_domain self:process { execheap execmem execstack getsched signal }; ######################################## # diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if index 01427996c0..9280318480 100644 --- a/policy/modules/apps/mozilla.if +++ b/policy/modules/apps/mozilla.if @@ -48,7 +48,7 @@ template(`mozilla_role',` domtrans_pattern($3, mozilla_exec_t, mozilla_t) - allow $3 mozilla_t:process { noatsecure siginh rlimitinh ptrace signal_perms }; + allow $3 mozilla_t:process { noatsecure ptrace rlimitinh siginh signal_perms }; ps_process_pattern($3, mozilla_t) allow mozilla_t $3:process signull; @@ -121,8 +121,8 @@ interface(`mozilla_role_plugin',` allow mozilla_plugin_t $2:process signull; allow mozilla_plugin_t $2:unix_stream_socket { connectto rw_socket_perms }; - allow mozilla_plugin_t $2:unix_dgram_socket { sendto rw_socket_perms }; - allow mozilla_plugin_t $2:shm { rw_shm_perms destroy }; + allow mozilla_plugin_t $2:unix_dgram_socket { rw_socket_perms sendto }; + allow mozilla_plugin_t $2:shm { destroy rw_shm_perms }; allow mozilla_plugin_t $2:sem create_sem_perms; allow $2 mozilla_home_t:dir { manage_dir_perms relabel_dir_perms }; diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te index 0730a57a93..53aff64d8f 100644 --- a/policy/modules/apps/mozilla.te +++ b/policy/modules/apps/mozilla.te @@ -75,7 +75,7 @@ xdg_cache_content(mozilla_xdg_cache_t) allow mozilla_t self:capability { setgid setuid sys_nice }; allow mozilla_t self:cap_userns { sys_admin sys_chroot sys_ptrace }; -allow mozilla_t self:process { sigkill signal setcap setsched getsched setrlimit }; +allow mozilla_t self:process { getsched setcap setrlimit setsched sigkill signal }; allow mozilla_t self:user_namespace create; allow mozilla_t self:fifo_file rw_fifo_file_perms; allow mozilla_t self:shm create_shm_perms; @@ -335,7 +335,7 @@ optional_policy(` dontaudit mozilla_plugin_t self:capability { ipc_lock sys_nice sys_ptrace sys_tty_config }; dontaudit mozilla_plugin_t self:cap_userns sys_ptrace; -allow mozilla_plugin_t self:process { setpgid getsched setsched signal_perms setrlimit }; +allow mozilla_plugin_t self:process { getsched setpgid setrlimit setsched signal_perms }; allow mozilla_plugin_t self:fifo_file manage_fifo_file_perms; allow mozilla_plugin_t self:netlink_kobject_uevent_socket create_socket_perms; allow mozilla_plugin_t self:sem create_sem_perms; @@ -345,7 +345,7 @@ allow mozilla_plugin_t self:unix_stream_socket { accept connectto listen }; allow mozilla_plugin_t mozilla_t:unix_stream_socket rw_socket_perms; allow mozilla_plugin_t mozilla_t:unix_dgram_socket rw_socket_perms; -allow mozilla_plugin_t mozilla_t:shm { rw_shm_perms destroy }; +allow mozilla_plugin_t mozilla_t:shm { destroy rw_shm_perms }; allow mozilla_plugin_t mozilla_t:sem create_sem_perms; manage_dirs_pattern(mozilla_plugin_t, { mozilla_home_t mozilla_plugin_home_t }, { mozilla_home_t mozilla_plugin_home_t }) @@ -599,7 +599,7 @@ optional_policy(` # allow mozilla_plugin_config_t self:capability { dac_override dac_read_search setgid setuid sys_nice }; -allow mozilla_plugin_config_t self:process { setsched signal_perms getsched }; +allow mozilla_plugin_config_t self:process { getsched setsched signal_perms }; allow mozilla_plugin_config_t self:fifo_file rw_fifo_file_perms; allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms; diff --git a/policy/modules/apps/mplayer.te b/policy/modules/apps/mplayer.te index 7426c24fc0..607c35d131 100644 --- a/policy/modules/apps/mplayer.te +++ b/policy/modules/apps/mplayer.te @@ -137,7 +137,7 @@ tunable_policy(`xserver_allow_dri',` # Mplayer local policy # -allow mplayer_t self:process { signal_perms getsched setsched }; +allow mplayer_t self:process { getsched setsched signal_perms }; allow mplayer_t self:fifo_file rw_fifo_file_perms; allow mplayer_t self:sem create_sem_perms; allow mplayer_t self:udp_socket create_socket_perms; diff --git a/policy/modules/apps/openoffice.te b/policy/modules/apps/openoffice.te index f8cccacd4e..688b567730 100644 --- a/policy/modules/apps/openoffice.te +++ b/policy/modules/apps/openoffice.te @@ -52,7 +52,7 @@ files_tmp_file(ooffice_tmp_t) allow ooffice_t self:process { execmem getsched signal }; allow ooffice_t self:shm create_shm_perms; allow ooffice_t self:fifo_file rw_fifo_file_perms; -allow ooffice_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow ooffice_t self:unix_stream_socket { connectto create_stream_socket_perms }; allow ooffice_t ooffice_home_t:dir manage_dir_perms; allow ooffice_t ooffice_home_t:file manage_file_perms; diff --git a/policy/modules/apps/qemu.if b/policy/modules/apps/qemu.if index e9704a63d8..239df25793 100644 --- a/policy/modules/apps/qemu.if +++ b/policy/modules/apps/qemu.if @@ -28,7 +28,7 @@ template(`qemu_domain_template',` # allow $1_t self:capability { dac_override dac_read_search }; - allow $1_t self:process { execstack execmem signal getsched }; + allow $1_t self:process { execmem execstack getsched signal }; allow $1_t self:fifo_file rw_fifo_file_perms; allow $1_t self:shm create_shm_perms; allow $1_t self:unix_stream_socket create_stream_socket_perms; diff --git a/policy/modules/apps/qemu.te b/policy/modules/apps/qemu.te index 232b3101ad..bb0c3d9d61 100644 --- a/policy/modules/apps/qemu.te +++ b/policy/modules/apps/qemu.te @@ -71,6 +71,6 @@ optional_policy(` application_type(unconfined_qemu_t) unconfined_domain(unconfined_qemu_t) - allow unconfined_qemu_t self:process { execstack execmem }; + allow unconfined_qemu_t self:process { execmem execstack }; allow unconfined_qemu_t qemu_exec_t:file execmod; ') diff --git a/policy/modules/apps/rssh.te b/policy/modules/apps/rssh.te index 6bc1993755..5748231529 100644 --- a/policy/modules/apps/rssh.te +++ b/policy/modules/apps/rssh.te @@ -34,7 +34,7 @@ userdom_user_home_content(rssh_rw_t) # Local policy # -allow rssh_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; +allow rssh_t self:process { dyntransition getattr getcap getpgid getrlimit getsched getsession noatsecure rlimitinh setcap setkeycreate setpgid setsched setsockcreate share siginh signal_perms transition }; allow rssh_t self:fd use; allow rssh_t self:fifo_file rw_fifo_file_perms; allow rssh_t self:unix_dgram_socket sendto; diff --git a/policy/modules/apps/seunshare.te b/policy/modules/apps/seunshare.te index 6269237e84..94e9a672c8 100644 --- a/policy/modules/apps/seunshare.te +++ b/policy/modules/apps/seunshare.te @@ -16,7 +16,7 @@ role system_r types seunshare_t; # allow seunshare_t self:capability { dac_override setpcap setuid sys_admin }; -allow seunshare_t self:process { setexec signal getcap setcap }; +allow seunshare_t self:process { getcap setcap setexec signal }; allow seunshare_t self:fifo_file rw_fifo_file_perms; allow seunshare_t self:unix_stream_socket create_stream_socket_perms; diff --git a/policy/modules/apps/slocate.te b/policy/modules/apps/slocate.te index 118fd93e58..93af395bbc 100644 --- a/policy/modules/apps/slocate.te +++ b/policy/modules/apps/slocate.te @@ -21,7 +21,7 @@ files_type(locate_var_lib_t) # allow locate_t self:capability { chown dac_override dac_read_search fowner fsetid }; -allow locate_t self:process { execmem execheap execstack signal setsched }; +allow locate_t self:process { execheap execmem execstack setsched signal }; allow locate_t self:fifo_file rw_fifo_file_perms; allow locate_t self:unix_stream_socket create_socket_perms; diff --git a/policy/modules/apps/syncthing.te b/policy/modules/apps/syncthing.te index adb5169007..7777c2b4d9 100644 --- a/policy/modules/apps/syncthing.te +++ b/policy/modules/apps/syncthing.te @@ -21,9 +21,9 @@ xdg_config_content(syncthing_xdg_config_t) # Declarations # -allow syncthing_t self:process { signal_perms setpgid setsched getsched }; +allow syncthing_t self:process { getsched setpgid setsched signal_perms }; allow syncthing_t self:fifo_file rw_fifo_file_perms; -allow syncthing_t self:tcp_socket { listen accept }; +allow syncthing_t self:tcp_socket { accept listen }; can_exec(syncthing_t, syncthing_exec_t) corecmd_exec_bin(syncthing_t) diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te index 2aeee8cf46..50a3445cd5 100644 --- a/policy/modules/apps/telepathy.te +++ b/policy/modules/apps/telepathy.te @@ -431,7 +431,7 @@ optional_policy(` # Common telepathy domain local policy # -allow telepathy_domain self:process { getsched signal sigkill }; +allow telepathy_domain self:process { getsched sigkill signal }; allow telepathy_domain self:fifo_file rw_fifo_file_perms; manage_dirs_pattern(telepathy_domain, telepathy_xdg_cache_t, telepathy_xdg_cache_t) diff --git a/policy/modules/apps/thunderbird.te b/policy/modules/apps/thunderbird.te index 1bc13fa118..5a11d079a6 100644 --- a/policy/modules/apps/thunderbird.te +++ b/policy/modules/apps/thunderbird.te @@ -34,7 +34,7 @@ optional_policy(` # allow thunderbird_t self:capability sys_nice; -allow thunderbird_t self:process { signal_perms setsched getsched execheap execmem execstack }; +allow thunderbird_t self:process { execheap execmem execstack getsched setsched signal_perms }; allow thunderbird_t self:fifo_file rw_fifo_file_perms; allow thunderbird_t self:unix_dgram_socket create_socket_perms; allow thunderbird_t self:unix_stream_socket create_stream_socket_perms; diff --git a/policy/modules/apps/userhelper.te b/policy/modules/apps/userhelper.te index 2bb64194b9..20767c6bad 100644 --- a/policy/modules/apps/userhelper.te +++ b/policy/modules/apps/userhelper.te @@ -95,13 +95,13 @@ optional_policy(` # allow userhelper_type self:capability { chown dac_override net_bind_service setgid setuid sys_tty_config }; -allow userhelper_type self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; +allow userhelper_type self:process { dyntransition getattr getcap getpgid getrlimit getsched getsession noatsecure rlimitinh setcap setexec setkeycreate setpgid setsched setsockcreate share siginh signal_perms transition }; allow userhelper_type self:fd use; allow userhelper_type self:fifo_file rw_fifo_file_perms; allow userhelper_type self:shm create_shm_perms; allow userhelper_type self:sem create_sem_perms; allow userhelper_type self:msgq create_msgq_perms; -allow userhelper_type self:msg { send receive }; +allow userhelper_type self:msg { receive send }; allow userhelper_type self:unix_dgram_socket sendto; allow userhelper_type self:unix_stream_socket { accept connectto listen }; diff --git a/policy/modules/apps/usernetctl.te b/policy/modules/apps/usernetctl.te index 0b4197a520..6d71031405 100644 --- a/policy/modules/apps/usernetctl.te +++ b/policy/modules/apps/usernetctl.te @@ -19,7 +19,7 @@ role usernetctl_roles types usernetctl_t; # allow usernetctl_t self:capability { dac_override setgid setuid }; -allow usernetctl_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; +allow usernetctl_t self:process { dyntransition getattr getcap getpgid getrlimit getsched getsession noatsecure rlimitinh setcap setkeycreate setpgid setsched setsockcreate share siginh signal_perms transition }; allow usernetctl_t self:fd use; allow usernetctl_t self:fifo_file rw_fifo_file_perms; allow usernetctl_t self:unix_dgram_socket sendto; diff --git a/policy/modules/apps/vmware.te b/policy/modules/apps/vmware.te index 7ca3a54b00..dfe8164cb3 100644 --- a/policy/modules/apps/vmware.te +++ b/policy/modules/apps/vmware.te @@ -53,7 +53,7 @@ optional_policy(` allow vmware_host_t self:capability { dac_override kill net_raw setgid setuid sys_nice sys_ptrace sys_time }; dontaudit vmware_host_t self:capability sys_tty_config; -allow vmware_host_t self:process { execstack execmem signal_perms }; +allow vmware_host_t self:process { execmem execstack signal_perms }; allow vmware_host_t self:fifo_file rw_fifo_file_perms; allow vmware_host_t self:unix_stream_socket { accept listen }; allow vmware_host_t self:rawip_socket create_socket_perms; @@ -164,15 +164,15 @@ optional_policy(` allow vmware_t self:capability { chown dac_override setgid setuid sys_admin sys_nice sys_rawio sys_resource }; dontaudit vmware_t self:capability sys_tty_config; -allow vmware_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition execmem execstack setkeycreate setsockcreate getrlimit }; +allow vmware_t self:process { dyntransition execmem execstack getattr getcap getpgid getrlimit getsched getsession noatsecure rlimitinh setcap setkeycreate setpgid setsched setsockcreate share siginh signal_perms transition }; allow vmware_t self:fd use; allow vmware_t self:fifo_file rw_fifo_file_perms; allow vmware_t self:unix_dgram_socket { create_socket_perms sendto }; -allow vmware_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow vmware_t self:unix_stream_socket { connectto create_stream_socket_perms }; allow vmware_t self:shm create_shm_perms; allow vmware_t self:sem create_sem_perms; allow vmware_t self:msgq create_msgq_perms; -allow vmware_t self:msg { send receive }; +allow vmware_t self:msg { receive send }; allow vmware_t vmware_conf_t:file manage_file_perms; diff --git a/policy/modules/apps/webalizer.te b/policy/modules/apps/webalizer.te index 09ebfef2c4..134b284783 100644 --- a/policy/modules/apps/webalizer.te +++ b/policy/modules/apps/webalizer.te @@ -31,7 +31,7 @@ files_type(webalizer_var_lib_t) # allow webalizer_t self:capability dac_override; -allow webalizer_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; +allow webalizer_t self:process { dyntransition getattr getcap getpgid getrlimit getsched getsession noatsecure rlimitinh setcap setkeycreate setpgid setsched setsockcreate share siginh signal_perms transition }; allow webalizer_t self:fd use; allow webalizer_t self:fifo_file rw_fifo_file_perms; allow webalizer_t self:unix_dgram_socket sendto; diff --git a/policy/modules/apps/wine.if b/policy/modules/apps/wine.if index 37f10d03d0..a987d5029f 100644 --- a/policy/modules/apps/wine.if +++ b/policy/modules/apps/wine.if @@ -97,7 +97,7 @@ template(`wine_role_template',` allow $1_wine_t self:process { execmem execstack }; - allow $3 $1_wine_t:process { ptrace noatsecure signal_perms }; + allow $3 $1_wine_t:process { noatsecure ptrace signal_perms }; ps_process_pattern($3, $1_wine_t) domtrans_pattern($3, wine_exec_t, $1_wine_t) diff --git a/policy/modules/apps/wine.te b/policy/modules/apps/wine.te index d666c6c766..5b27907e45 100644 --- a/policy/modules/apps/wine.te +++ b/policy/modules/apps/wine.te @@ -37,7 +37,7 @@ optional_policy(` # Local policy # -allow wine_t self:process { execstack execmem execheap }; +allow wine_t self:process { execheap execmem execstack }; allow wine_t self:fifo_file manage_fifo_file_perms; can_exec(wine_t, wine_exec_t) diff --git a/policy/modules/apps/wireshark.te b/policy/modules/apps/wireshark.te index fe10544811..1c4204e2bf 100644 --- a/policy/modules/apps/wireshark.te +++ b/policy/modules/apps/wireshark.te @@ -31,7 +31,7 @@ optional_policy(` # allow wireshark_t self:capability { net_admin net_raw setgid }; -allow wireshark_t self:process { signal getsched }; +allow wireshark_t self:process { getsched signal }; allow wireshark_t self:fifo_file rw_fifo_file_perms; allow wireshark_t self:shm create_shm_perms; allow wireshark_t self:packet_socket create_socket_perms; diff --git a/policy/modules/apps/wm.if b/policy/modules/apps/wm.if index fbd4dc907c..d65518218d 100644 --- a/policy/modules/apps/wm.if +++ b/policy/modules/apps/wm.if @@ -61,7 +61,7 @@ template(`wm_role_template',` allow $3 $1_wm_t:process { ptrace signal_perms }; ps_process_pattern($3, $1_wm_t) - allow $1_wm_t $3:process { signull sigkill }; + allow $1_wm_t $3:process { sigkill signull }; domtrans_pattern($3, wm_exec_t, $1_wm_t) diff --git a/policy/modules/apps/wm.te b/policy/modules/apps/wm.te index 48b5bc1815..8cda4c327d 100644 --- a/policy/modules/apps/wm.te +++ b/policy/modules/apps/wm.te @@ -26,7 +26,7 @@ optional_policy(` # allow wm_domain self:fifo_file rw_fifo_file_perms; -allow wm_domain self:process { setcap setrlimit execmem signal_perms getsched setsched }; +allow wm_domain self:process { execmem getsched setcap setrlimit setsched signal_perms }; allow wm_domain self:netlink_kobject_uevent_socket create_socket_perms; allow wm_domain self:shm create_shm_perms; allow wm_domain self:unix_dgram_socket create_socket_perms; diff --git a/policy/modules/apps/xscreensaver.te b/policy/modules/apps/xscreensaver.te index 18c5529537..7984696b1c 100644 --- a/policy/modules/apps/xscreensaver.te +++ b/policy/modules/apps/xscreensaver.te @@ -37,7 +37,7 @@ userdom_user_tmpfs_file(xscreensaver_tmpfs_t) # allow xscreensaver_t self:capability { setgid setuid }; -allow xscreensaver_t self:process { setsched setpgid signal sigstop }; +allow xscreensaver_t self:process { setpgid setsched signal sigstop }; allow xscreensaver_t self:fifo_file rw_fifo_file_perms; allow xscreensaver_t xscreensaver_helper_t:process { signal sigstop }; @@ -91,7 +91,7 @@ tunable_policy(`xscreensaver_read_generic_user_content',` # Helper local policy # -allow xscreensaver_helper_t self:capability { setuid setgid }; +allow xscreensaver_helper_t self:capability { setgid setuid }; dontaudit xscreensaver_helper_t self:capability { dac_override dac_read_search }; allow xscreensaver_helper_t self:process { execmem getcap getsched signal }; allow xscreensaver_helper_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in index 2cf69993cb..d2f346efa0 100644 --- a/policy/modules/kernel/corenetwork.if.in +++ b/policy/modules/kernel/corenetwork.if.in @@ -649,7 +649,7 @@ interface(`corenet_sctp_sendrecv_generic_node',` type node_t; ') - allow $1 node_t:node { sendto recvfrom }; + allow $1 node_t:node { recvfrom sendto }; ') ######################################## @@ -728,7 +728,7 @@ interface(`corenet_tcp_sendrecv_generic_node',` type node_t; ') - allow $1 node_t:node { sendto recvfrom }; + allow $1 node_t:node { recvfrom sendto }; ') ######################################## @@ -1049,7 +1049,7 @@ interface(`corenet_tcp_sendrecv_all_nodes',` attribute node_type; ') - allow $1 node_type:node { sendto recvfrom }; + allow $1 node_type:node { recvfrom sendto }; ') ######################################## @@ -1104,7 +1104,7 @@ interface(`corenet_sctp_sendrecv_all_nodes',` attribute node_type; ') - allow $1 node_type:node { sendto recvfrom }; + allow $1 node_type:node { recvfrom sendto }; ') ######################################## diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in index 71096934f5..cfe11d2f09 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -368,8 +368,8 @@ typealias netif_t alias lo_netif_t; # allow corenet_unconfined_type node_type:node { recvfrom sendto }; -allow corenet_unconfined_type netif_type:netif { ingress egress }; -allow corenet_unconfined_type packet_type:packet { send recv relabelto forward_in forward_out }; +allow corenet_unconfined_type netif_type:netif { egress ingress }; +allow corenet_unconfined_type packet_type:packet { forward_in forward_out recv relabelto send }; allow corenet_unconfined_type port_type:tcp_socket { name_connect }; allow corenet_unconfined_type port_type:sctp_socket { name_connect }; diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index aaa5807bb2..cae0b55c06 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -1025,7 +1025,7 @@ interface(`dev_dontaudit_rw_generic_dev_nodes',` type device_t; ') - dontaudit $1 device_t:{ chr_file blk_file } { getattr read write ioctl }; + dontaudit $1 device_t:{ chr_file blk_file } { getattr ioctl read write }; ') ######################################## @@ -3087,7 +3087,7 @@ interface(`dev_rx_raw_memory',` ') dev_read_raw_memory($1) - allow $1 memory_device_t:chr_file { map execute }; + allow $1 memory_device_t:chr_file { execute map }; ') ######################################## @@ -3109,7 +3109,7 @@ interface(`dev_wx_raw_memory',` ') dev_write_raw_memory($1) - allow $1 memory_device_t:chr_file { map execute }; + allow $1 memory_device_t:chr_file { execute map }; ') ######################################## @@ -3139,7 +3139,7 @@ interface(`dev_wx_raw_memory_cond',` typeattribute $1 memory_raw_write; dev_write_raw_memory_cond($1, $2) tunable_policy(`$2', ` - allow $1 memory_device_t:chr_file { map execute }; + allow $1 memory_device_t:chr_file { execute map }; ') ') @@ -3615,10 +3615,10 @@ interface(`dev_create_null_dev',` interface(`dev_manage_null_service',` gen_require(` type null_device_t; - class service { status start stop reload }; + class service { reload start status stop }; ') - allow $1 null_device_t:service { status start stop reload }; + allow $1 null_device_t:service { reload start status stop}; ') ######################################## @@ -5517,7 +5517,7 @@ interface(`dev_rwx_vmware',` ') dev_rw_vmware($1) - allow $1 vmware_device_t:chr_file { map execute }; + allow $1 vmware_device_t:chr_file { execute map }; ') ######################################## @@ -5777,7 +5777,7 @@ interface(`dev_rwx_zero',` ') dev_rw_zero($1) - allow $1 zero_device_t:chr_file { map execute }; + allow $1 zero_device_t:chr_file { execute map }; ') ######################################## diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te index 7946b943bc..cd7977f973 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -445,6 +445,6 @@ files_associate_tmp(device_node) # allow devices_unconfined_type self:capability sys_rawio; -allow devices_unconfined_type device_node:blk_file { manage_blk_file_perms relabel_blk_file_perms map execute quotaon mounton execmod watch watch_mount watch_reads watch_sb watch_with_perm }; -allow devices_unconfined_type device_node:chr_file { manage_chr_file_perms relabel_chr_file_perms map execute quotaon mounton execmod watch watch_mount watch_reads watch_sb watch_with_perm }; -allow devices_unconfined_type mtrr_device_t:file { manage_file_perms relabel_file_perms exec_file_perms quotaon mounton entrypoint execmod watch watch_mount watch_reads watch_sb watch_with_perm }; +allow devices_unconfined_type device_node:blk_file { execmod execute manage_blk_file_perms map mounton quotaon relabel_blk_file_perms watch watch_mount watch_reads watch_sb watch_with_perm }; +allow devices_unconfined_type device_node:chr_file { execmod execute manage_chr_file_perms map mounton quotaon relabel_chr_file_perms watch watch_mount watch_reads watch_sb watch_with_perm }; +allow devices_unconfined_type mtrr_device_t:file { entrypoint exec_file_perms execmod manage_file_perms mounton quotaon relabel_file_perms watch watch_mount watch_reads watch_sb watch_with_perm }; diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if index 6561a1bfe3..944d6d3b30 100644 --- a/policy/modules/kernel/domain.if +++ b/policy/modules/kernel/domain.if @@ -128,7 +128,7 @@ interface(`domain_entry_file',` ') allow $1 $2:file entrypoint; - allow $1 $2:file { mmap_exec_file_perms ioctl lock }; + allow $1 $2:file { ioctl lock mmap_exec_file_perms }; typeattribute $2 entry_type; diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te index 3aeb3e50fc..0f38015b6f 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -17,7 +17,7 @@ gen_tunable(mmap_low_allowed, false) attribute domain; # Transitions only allowed from domains to other domains -neverallow domain ~domain:process { transition dyntransition }; +neverallow domain ~domain:process { dyntransition transition }; # Domains that are unconfined attribute unconfined_domain_type; @@ -92,7 +92,7 @@ neverallow ~{ domain unlabeled_t } *:process *; # read /proc/(pid|self) entries, write /proc/self/attr entries, # and manage own fds. allow domain self:dir rw_dir_perms; -allow domain self:lnk_file { read_lnk_file_perms lock ioctl }; +allow domain self:lnk_file { ioctl lock read_lnk_file_perms }; allow domain self:file manage_file_perms; kernel_read_crypto_sysctls(domain) @@ -115,7 +115,7 @@ dontaudit domain self:udp_socket listen; # lockdown checks were removed in 5.16. The class will be removed # from the policy in the future. For reference: # https://lore.kernel.org/selinux/163243191040.178880.4295195865966623164.stgit@olly -allow domain self:lockdown { integrity confidentiality }; +allow domain self:lockdown { confidentiality integrity }; # glibc get_nprocs requires read access to /sys/devices/system/cpu/online dev_read_cpu_online(domain) @@ -170,36 +170,36 @@ optional_policy(` allow unconfined_domain_type domain:bpf { map_create map_read map_write prog_load prog_run }; # Use/sendto/connectto sockets created by any domain. -allow unconfined_domain_type domain:{ socket_class_set socket key_socket } { create_stream_socket_perms lock relabelto name_bind map sendto recvfrom relabelfrom }; +allow unconfined_domain_type domain:{ socket_class_set socket key_socket } { create_stream_socket_perms lock map name_bind recvfrom relabelfrom relabelto sendto }; allow unconfined_domain_type domain:rawip_socket node_bind; allow unconfined_domain_type domain:sctp_socket node_bind; allow unconfined_domain_type domain:icmp_socket node_bind; allow unconfined_domain_type domain:udp_socket node_bind; -allow unconfined_domain_type domain:tcp_socket { node_bind name_connect }; +allow unconfined_domain_type domain:tcp_socket { name_connect node_bind }; allow unconfined_domain_type domain:tun_socket attach_queue; allow unconfined_domain_type domain:unix_stream_socket connectto; -allow unconfined_domain_type domain:netlink_audit_socket { nlmsg_write nlmsg_relay nlmsg_readpriv nlmsg_read nlmsg_tty_audit }; -allow unconfined_domain_type domain:netlink_route_socket { nlmsg_write nlmsg_read }; -allow unconfined_domain_type domain:netlink_tcpdiag_socket { nlmsg_write nlmsg_read }; -allow unconfined_domain_type domain:netlink_xfrm_socket { nlmsg_write nlmsg_read }; +allow unconfined_domain_type domain:netlink_audit_socket { nlmsg_read nlmsg_readpriv nlmsg_relay nlmsg_tty_audit nlmsg_write }; +allow unconfined_domain_type domain:netlink_route_socket { nlmsg_read nlmsg_write }; +allow unconfined_domain_type domain:netlink_tcpdiag_socket { nlmsg_read nlmsg_write }; +allow unconfined_domain_type domain:netlink_xfrm_socket { nlmsg_read nlmsg_write }; # Use descriptors and pipes created by any domain. allow unconfined_domain_type domain:fd use; allow unconfined_domain_type domain:fifo_file rw_fifo_file_perms; # Act upon any other process. -allow unconfined_domain_type domain:process { fork signal_perms ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh setcurrent setkeycreate setsockcreate getrlimit }; +allow unconfined_domain_type domain:process { fork getattr getcap getpgid getrlimit getsched getsession noatsecure ptrace rlimitinh setcap setcurrent setexec setfscreate setkeycreate setpgid setrlimit setsched setsockcreate share siginh signal_perms }; # Create/access any System V IPC objects. allow unconfined_domain_type domain:sem create_sem_perms; allow unconfined_domain_type domain:msgq create_msgq_perms; allow unconfined_domain_type domain:shm create_shm_perms; -allow unconfined_domain_type domain:msg { send receive }; +allow unconfined_domain_type domain:msg { receive send }; # For /proc/pid allow unconfined_domain_type domain:dir list_dir_perms; allow unconfined_domain_type domain:file rw_file_perms; -allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; +allow unconfined_domain_type domain:lnk_file { ioctl lock read_lnk_file_perms }; # act on all domains keys allow unconfined_domain_type domain:key manage_key_perms; diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index d83107e3cd..b6c7d1e07c 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -542,7 +542,7 @@ interface(`files_mounton_non_security',` attribute non_security_file_type; ') - allow $1 non_security_file_type:dir { search mounton_dir_perms }; + allow $1 non_security_file_type:dir { mounton_dir_perms search }; allow $1 non_security_file_type:file mounton_file_perms; ') @@ -1782,7 +1782,7 @@ interface(`files_mounton_all_mountpoints',` attribute mountpoint; ') - allow $1 mountpoint:dir { search_dir_perms mounton }; + allow $1 mountpoint:dir { mounton search_dir_perms }; allow $1 mountpoint:file mounton_file_perms; kernel_mounton_unlabeled_dirs($1) @@ -2002,7 +2002,7 @@ interface(`files_list_root',` ') allow $1 root_t:dir list_dir_perms; - allow $1 root_t:lnk_file { read_lnk_file_perms ioctl lock }; + allow $1 root_t:lnk_file { ioctl lock read_lnk_file_perms }; ') ######################################## @@ -2313,7 +2313,7 @@ interface(`files_relabel_rootfs',` type root_t; ') - allow $1 root_t:filesystem { relabelto relabelfrom }; + allow $1 root_t:filesystem { relabelfrom relabelto }; ') ######################################## @@ -2887,7 +2887,7 @@ interface(`files_mounton_default',` type default_t; ') - allow $1 default_t:dir { search_dir_perms mounton }; + allow $1 default_t:dir { mounton search_dir_perms }; ') ######################################## @@ -4313,7 +4313,7 @@ interface(`files_mounton_mnt',` type mnt_t; ') - allow $1 mnt_t:dir { search_dir_perms mounton }; + allow $1 mnt_t:dir { mounton search_dir_perms }; ') ######################################## @@ -5764,7 +5764,7 @@ interface(`files_create_kernel_symbol_table',` type boot_t, system_map_t; ') - allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms }; + allow $1 boot_t:dir { add_entry_dir_perms list_dir_perms }; allow $1 system_map_t:file { create_file_perms rw_file_perms }; ') @@ -7752,7 +7752,7 @@ interface(`files_polyinstantiate_all',` allow $1 self:capability { chown fowner fsetid sys_admin }; # Need to give access to the directories to be polyinstantiated - allow $1 polydir:dir { add_entry_dir_perms create setattr mounton rmdir }; + allow $1 polydir:dir { add_entry_dir_perms create mounton rmdir setattr }; # Need to give access to the polyinstantiated subdirectories allow $1 polymember:dir search_dir_perms; @@ -7763,9 +7763,9 @@ interface(`files_polyinstantiate_all',` # Need to give permission to create directories where applicable allow $1 self:process setfscreate; - allow $1 polymember: dir { create setattr relabelto }; - allow $1 polydir: dir { write add_name open }; - allow $1 polyparent:dir { rw_dir_perms relabel_dir_perms }; + allow $1 polymember: dir { create relabelto setattr }; + allow $1 polydir: dir { add_name open write }; + allow $1 polyparent:dir { relabel_dir_perms rw_dir_perms }; # Default type for mountpoints allow $1 poly_t:dir { create mounton }; diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te index f8258f855a..8de238d3ad 100644 --- a/policy/modules/kernel/files.te +++ b/policy/modules/kernel/files.te @@ -227,16 +227,16 @@ fs_associate_tmpfs(tmpfsfile) # # Create/access any file in a labeled filesystem; -allow files_unconfined_type file_type:file { manage_file_perms relabel_file_perms exec_file_perms quotaon mounton watch watch_mount watch_reads watch_sb watch_with_perm}; -allow files_unconfined_type file_type:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms append map execute quotaon mounton open execmod watch watch_mount watch_reads watch_sb watch_with_perm }; -allow files_unconfined_type file_type:sock_file { manage_sock_file_perms relabel_sock_file_perms map execute quotaon mounton execmod watch watch_mount watch_reads watch_sb watch_with_perm }; -allow files_unconfined_type file_type:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms map execute quotaon mounton execmod watch watch_mount watch_reads watch_sb watch_with_perm }; -allow files_unconfined_type file_type:blk_file { manage_blk_file_perms relabel_blk_file_perms map execute quotaon mounton execmod watch watch_mount watch_reads watch_sb watch_with_perm }; -allow files_unconfined_type file_type:chr_file { manage_chr_file_perms relabel_chr_file_perms map execute quotaon mounton watch watch_mount watch_reads watch_sb watch_with_perm }; -allow files_unconfined_type file_type:dir { manage_dir_perms relabel_dir_perms append map execute quotaon mounton add_name remove_name reparent search rmdir execmod watch watch_mount watch_reads watch_sb watch_with_perm }; +allow files_unconfined_type file_type:file { exec_file_perms manage_file_perms mounton quotaon relabel_file_perms watch watch_mount watch_reads watch_sb watch_with_perm }; +allow files_unconfined_type file_type:lnk_file { append execmod execute manage_lnk_file_perms map mounton open quotaon relabel_lnk_file_perms watch watch_mount watch_reads watch_sb watch_with_perm }; +allow files_unconfined_type file_type:sock_file { execmod execute manage_sock_file_perms map mounton quotaon relabel_sock_file_perms watch watch_mount watch_reads watch_sb watch_with_perm }; +allow files_unconfined_type file_type:fifo_file { execmod execute manage_fifo_file_perms map mounton quotaon relabel_fifo_file_perms watch watch_mount watch_reads watch_sb watch_with_perm }; +allow files_unconfined_type file_type:blk_file { execmod execute manage_blk_file_perms map mounton quotaon relabel_blk_file_perms watch watch_mount watch_reads watch_sb watch_with_perm }; +allow files_unconfined_type file_type:chr_file { execute manage_chr_file_perms map mounton quotaon relabel_chr_file_perms watch watch_mount watch_reads watch_sb watch_with_perm }; +allow files_unconfined_type file_type:dir { add_name append execmod execute manage_dir_perms map mounton quotaon relabel_dir_perms remove_name reparent rmdir search watch watch_mount watch_reads watch_sb watch_with_perm }; # Mount/unmount any filesystem with the context= option. -allow files_unconfined_type file_type:filesystem { mount remount unmount getattr relabelfrom relabelto associate quotamod quotaget watch }; +allow files_unconfined_type file_type:filesystem { associate getattr mount quotaget quotamod relabelfrom relabelto remount unmount watch }; tunable_policy(`allow_execmod',` allow files_unconfined_type file_type:file execmod; diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te index b40cb5f6cd..46b90d46e8 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -358,15 +358,15 @@ fs_associate_noxattr(noxattrfs) # Unconfined access to this module # -allow filesystem_unconfined_type filesystem_type:filesystem { mount remount unmount getattr relabelfrom relabelto associate quotamod quotaget watch }; +allow filesystem_unconfined_type filesystem_type:filesystem { associate getattr mount quotaget quotamod relabelfrom relabelto remount unmount watch }; # Create/access other files. fs_type is to pick up various # pseudo filesystem types that are applied to both the filesystem # and its files. -allow filesystem_unconfined_type filesystem_type:file { manage_file_perms relabel_file_perms exec_file_perms quotaon mounton entrypoint execmod watch watch_mount watch_reads watch_sb watch_with_perm }; -allow filesystem_unconfined_type filesystem_type:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms append map execute quotaon mounton open execmod watch watch_mount watch_reads watch_sb watch_with_perm }; -allow filesystem_unconfined_type filesystem_type:sock_file { manage_sock_file_perms relabel_sock_file_perms map execute quotaon mounton execmod watch watch_mount watch_reads watch_sb watch_with_perm }; -allow filesystem_unconfined_type filesystem_type:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms map execute quotaon mounton execmod watch watch_mount watch_reads watch_sb watch_with_perm }; -allow filesystem_unconfined_type filesystem_type:blk_file { manage_blk_file_perms relabel_blk_file_perms map execute quotaon mounton execmod watch watch_mount watch_reads watch_sb watch_with_perm }; -allow filesystem_unconfined_type filesystem_type:chr_file { manage_chr_file_perms relabel_chr_file_perms map execute quotaon mounton execmod watch watch_mount watch_reads watch_sb watch_with_perm }; -allow filesystem_unconfined_type filesystem_type:dir { manage_dir_perms relabel_dir_perms append map execute quotaon mounton add_name remove_name reparent search rmdir execmod watch watch_mount watch_reads watch_sb watch_with_perm }; +allow filesystem_unconfined_type filesystem_type:file { entrypoint exec_file_perms execmod manage_file_perms mounton quotaon relabel_file_perms watch watch_mount watch_reads watch_sb watch_with_perm }; +allow filesystem_unconfined_type filesystem_type:lnk_file { append execmod execute manage_lnk_file_perms map mounton open quotaon relabel_lnk_file_perms watch watch_mount watch_reads watch_sb watch_with_perm }; +allow filesystem_unconfined_type filesystem_type:sock_file { execmod execute manage_sock_file_perms map mounton quotaon relabel_sock_file_perms watch watch_mount watch_reads watch_sb watch_with_perm }; +allow filesystem_unconfined_type filesystem_type:fifo_file { execmod execute manage_fifo_file_perms map mounton quotaon relabel_fifo_file_perms watch watch_mount watch_reads watch_sb watch_with_perm }; +allow filesystem_unconfined_type filesystem_type:blk_file { execmod execute manage_blk_file_perms map mounton quotaon relabel_blk_file_perms watch watch_mount watch_reads watch_sb watch_with_perm }; +allow filesystem_unconfined_type filesystem_type:chr_file { execmod execute manage_chr_file_perms map mounton quotaon relabel_chr_file_perms watch watch_mount watch_reads watch_sb watch_with_perm }; +allow filesystem_unconfined_type filesystem_type:dir { add_name append execmod execute manage_dir_perms map mounton quotaon relabel_dir_perms remove_name reparent rmdir search watch watch_mount watch_reads watch_sb watch_with_perm }; diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if index 85b4da0c36..f985a1cacf 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -363,7 +363,7 @@ interface(`kernel_rw_unix_dgram_sockets',` type kernel_t; ') - allow $1 kernel_t:unix_dgram_socket { read write ioctl }; + allow $1 kernel_t:unix_dgram_socket { ioctl read write }; ') ######################################## @@ -2936,7 +2936,7 @@ interface(`kernel_mounton_unlabeled_dirs',` type unlabeled_t; ') - allow $1 unlabeled_t:dir { search_dir_perms mounton }; + allow $1 unlabeled_t:dir { mounton search_dir_perms }; ') ######################################## @@ -3539,7 +3539,7 @@ interface(`kernel_sendrecv_unlabeled_association',` type unlabeled_t; ') - allow $1 unlabeled_t:association { sendto recvfrom }; + allow $1 unlabeled_t:association { recvfrom sendto }; ') ######################################## @@ -3572,7 +3572,7 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',` type unlabeled_t; ') - dontaudit $1 unlabeled_t:association { sendto recvfrom }; + dontaudit $1 unlabeled_t:association { recvfrom sendto }; ') ######################################## @@ -3770,7 +3770,7 @@ interface(`kernel_sendrecv_unlabeled_packets',` type unlabeled_t; ') - allow $1 unlabeled_t:packet { send recv }; + allow $1 unlabeled_t:packet { recv send }; ') ######################################## @@ -3842,28 +3842,28 @@ interface(`kernel_dontaudit_recvfrom_unlabeled_peer',` interface(`kernel_relabelfrom_unlabeled_database',` gen_require(` type unlabeled_t; - class db_database { setattr relabelfrom }; - class db_schema { setattr relabelfrom }; - class db_table { setattr relabelfrom }; - class db_sequence { setattr relabelfrom }; - class db_view { setattr relabelfrom }; - class db_procedure { setattr relabelfrom }; - class db_language { setattr relabelfrom }; - class db_column { setattr relabelfrom }; - class db_tuple { update relabelfrom }; - class db_blob { setattr relabelfrom }; - ') - - allow $1 unlabeled_t:db_database { setattr relabelfrom }; - allow $1 unlabeled_t:db_schema { setattr relabelfrom }; - allow $1 unlabeled_t:db_table { setattr relabelfrom }; - allow $1 unlabeled_t:db_sequence { setattr relabelfrom }; - allow $1 unlabeled_t:db_view { setattr relabelfrom }; - allow $1 unlabeled_t:db_procedure { setattr relabelfrom }; - allow $1 unlabeled_t:db_language { setattr relabelfrom }; - allow $1 unlabeled_t:db_column { setattr relabelfrom }; - allow $1 unlabeled_t:db_tuple { update relabelfrom }; - allow $1 unlabeled_t:db_blob { setattr relabelfrom }; + class db_database { relabelfrom setattr }; + class db_schema { relabelfrom setattr }; + class db_table { relabelfrom setattr }; + class db_sequence { relabelfrom setattr }; + class db_view { relabelfrom setattr }; + class db_procedure { relabelfrom setattr }; + class db_language { relabelfrom setattr }; + class db_column { relabelfrom setattr }; + class db_tuple { relabelfrom update }; + class db_blob { relabelfrom setattr }; + ') + + allow $1 unlabeled_t:db_database { relabelfrom setattr }; + allow $1 unlabeled_t:db_schema { relabelfrom setattr }; + allow $1 unlabeled_t:db_table { relabelfrom setattr }; + allow $1 unlabeled_t:db_sequence { relabelfrom setattr }; + allow $1 unlabeled_t:db_view { relabelfrom setattr }; + allow $1 unlabeled_t:db_procedure { relabelfrom setattr }; + allow $1 unlabeled_t:db_language { relabelfrom setattr }; + allow $1 unlabeled_t:db_column { relabelfrom setattr }; + allow $1 unlabeled_t:db_tuple { relabelfrom update }; + allow $1 unlabeled_t:db_blob { relabelfrom setattr }; ') ######################################## diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index 887ca33327..b212664da0 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -237,11 +237,11 @@ sid tcp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) # kernel local policy # -allow kernel_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap }; -allow kernel_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; +allow kernel_t self:capability { audit_control audit_write chown dac_override dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable mknod net_admin net_bind_service net_broadcast net_raw setfcap setgid setpcap setuid sys_admin sys_boot sys_chroot sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config }; +allow kernel_t self:process { dyntransition getattr getcap getpgid getrlimit getsched getsession noatsecure rlimitinh setcap setkeycreate setpgid setsched setsockcreate share siginh signal_perms transition }; allow kernel_t self:shm create_shm_perms; allow kernel_t self:sem create_sem_perms; -allow kernel_t self:msg { send receive }; +allow kernel_t self:msg { receive send }; allow kernel_t self:msgq create_msgq_perms; allow kernel_t self:unix_dgram_socket create_socket_perms; allow kernel_t self:unix_stream_socket create_stream_socket_perms; @@ -578,23 +578,23 @@ if(secure_mode_insmod) { # Rules for unconfined access to this module # -allow kern_unconfined proc_type:dir { manage_dir_perms relabel_dir_perms append map execute quotaon mounton execmod watch watch_mount watch_reads watch_sb watch_with_perm }; -allow kern_unconfined proc_type:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms append map execute quotaon mounton open execmod watch watch_mount watch_reads watch_sb watch_with_perm }; -allow kern_unconfined proc_type:file { manage_file_perms relabel_file_perms exec_file_perms quotaon mounton watch watch_mount watch_reads watch_sb watch_with_perm }; - -allow kern_unconfined sysctl_type:dir { manage_dir_perms relabel_dir_perms append map execute quotaon mounton execmod watch watch_mount watch_reads watch_sb watch_with_perm }; -allow kern_unconfined sysctl_type:file { manage_file_perms relabel_file_perms exec_file_perms quotaon mounton watch watch_mount watch_reads watch_sb watch_with_perm }; - -allow kern_unconfined kernel_t:system { ipc_info syslog_read syslog_mod syslog_console module_request module_load halt reboot status start stop enable disable reload }; #selint-disable:W-001 - -allow kern_unconfined unlabeled_t:file { manage_file_perms relabel_file_perms exec_file_perms quotaon mounton watch watch_mount watch_reads watch_sb watch_with_perm }; -allow kern_unconfined unlabeled_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms append map execute quotaon mounton open execmod watch watch_mount watch_reads watch_sb watch_with_perm }; -allow kern_unconfined unlabeled_t:sock_file { manage_sock_file_perms relabel_sock_file_perms map execute quotaon mounton execmod watch watch_mount watch_reads watch_sb watch_with_perm }; -allow kern_unconfined unlabeled_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms map execute quotaon mounton execmod watch watch_mount watch_reads watch_sb watch_with_perm }; -allow kern_unconfined unlabeled_t:blk_file { manage_blk_file_perms relabel_blk_file_perms map execute quotaon mounton execmod watch watch_mount watch_reads watch_sb watch_with_perm }; -allow kern_unconfined unlabeled_t:chr_file { manage_chr_file_perms relabel_chr_file_perms map execute quotaon mounton watch watch_mount watch_reads watch_sb watch_with_perm }; -allow kern_unconfined unlabeled_t:dir { manage_dir_perms relabelfrom relabelto append map execute quotaon mounton add_name remove_name reparent search rmdir execmod watch watch_mount watch_reads watch_sb watch_with_perm }; -allow kern_unconfined unlabeled_t:filesystem { mount remount unmount getattr relabelfrom relabelto associate quotamod quotaget watch }; -allow kern_unconfined unlabeled_t:association { sendto recvfrom setcontext polmatch }; -allow kern_unconfined unlabeled_t:packet { send recv relabelto forward_in forward_out }; -allow kern_unconfined unlabeled_t:process { fork signal_perms ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh setcurrent setkeycreate setsockcreate getrlimit }; +allow kern_unconfined proc_type:dir { append execmod execute manage_dir_perms map mounton quotaon relabel_dir_perms watch watch_mount watch_reads watch_sb watch_with_perm }; +allow kern_unconfined proc_type:lnk_file { append execmod execute manage_lnk_file_perms map mounton open quotaon relabel_lnk_file_perms watch watch_mount watch_reads watch_sb watch_with_perm }; +allow kern_unconfined proc_type:file { exec_file_perms manage_file_perms mounton quotaon relabel_file_perms watch watch_mount watch_reads watch_sb watch_with_perm }; + +allow kern_unconfined sysctl_type:dir { append execmod execute manage_dir_perms map mounton quotaon relabel_dir_perms watch watch_mount watch_reads watch_sb watch_with_perm }; +allow kern_unconfined sysctl_type:file { exec_file_perms manage_file_perms mounton quotaon relabel_file_perms watch watch_mount watch_reads watch_sb watch_with_perm }; + +allow kern_unconfined kernel_t:system { disable enable halt ipc_info module_load module_request reboot reload start status stop syslog_console syslog_mod syslog_read }; #selint-disable:W-001 + +allow kern_unconfined unlabeled_t:file { exec_file_perms manage_file_perms mounton quotaon relabel_file_perms watch watch_mount watch_reads watch_sb watch_with_perm }; +allow kern_unconfined unlabeled_t:lnk_file { append execmod execute manage_lnk_file_perms map mounton open quotaon relabel_lnk_file_perms watch watch_mount watch_reads watch_sb watch_with_perm }; +allow kern_unconfined unlabeled_t:sock_file { execmod execute manage_sock_file_perms map mounton quotaon relabel_sock_file_perms watch watch_mount watch_reads watch_sb watch_with_perm }; +allow kern_unconfined unlabeled_t:fifo_file { execmod execute manage_fifo_file_perms map mounton quotaon relabel_fifo_file_perms watch watch_mount watch_reads watch_sb watch_with_perm }; +allow kern_unconfined unlabeled_t:blk_file { execmod execute manage_blk_file_perms map mounton quotaon relabel_blk_file_perms watch watch_mount watch_reads watch_sb watch_with_perm }; +allow kern_unconfined unlabeled_t:chr_file { execute manage_chr_file_perms map mounton quotaon relabel_chr_file_perms watch watch_mount watch_reads watch_sb watch_with_perm }; +allow kern_unconfined unlabeled_t:dir { add_name append execmod execute manage_dir_perms map mounton quotaon relabelfrom relabelto remove_name reparent rmdir search watch watch_mount watch_reads watch_sb watch_with_perm }; +allow kern_unconfined unlabeled_t:filesystem { associate getattr mount quotaget quotamod relabelfrom relabelto remount unmount watch }; +allow kern_unconfined unlabeled_t:association { polmatch recvfrom sendto setcontext }; +allow kern_unconfined unlabeled_t:packet { forward_in forward_out recv relabelto send }; +allow kern_unconfined unlabeled_t:process { fork getattr getcap getpgid getrlimit getsched getsession noatsecure ptrace rlimitinh setcap setcurrent setexec setfscreate setkeycreate setpgid setrlimit setsched setsockcreate share siginh signal_perms }; diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te index 35efa9e61e..97b236aa9a 100644 --- a/policy/modules/kernel/selinux.te +++ b/policy/modules/kernel/selinux.te @@ -106,7 +106,7 @@ allow selinux_unconfined_type security_t:file rw_file_perms; allow selinux_unconfined_type boolean_type:file read_file_perms; # Access the security API. -allow selinux_unconfined_type security_t:security { compute_av compute_create compute_member check_context compute_relabel compute_user setsecparam setcheckreqprot read_policy validate_trans }; +allow selinux_unconfined_type security_t:security { check_context compute_av compute_create compute_member compute_relabel compute_user read_policy setcheckreqprot setsecparam validate_trans }; if (secure_mode_policyload) { dontaudit selinux_unconfined_type security_t:security { load_policy setenforce }; diff --git a/policy/modules/kernel/storage.te b/policy/modules/kernel/storage.te index 7d30dc4508..9865373d8e 100644 --- a/policy/modules/kernel/storage.te +++ b/policy/modules/kernel/storage.te @@ -59,5 +59,5 @@ dev_node(tape_device_t) # Unconfined access to this module # -allow storage_unconfined_type { fixed_disk_device_t removable_device_t }:blk_file { manage_blk_file_perms relabel_blk_file_perms map execute quotaon mounton execmod }; -allow storage_unconfined_type { scsi_generic_device_t tape_device_t }:chr_file { manage_chr_file_perms relabel_chr_file_perms map execute quotaon mounton execmod }; +allow storage_unconfined_type { fixed_disk_device_t removable_device_t }:blk_file { execmod execute manage_blk_file_perms map mounton quotaon relabel_blk_file_perms }; +allow storage_unconfined_type { scsi_generic_device_t tape_device_t }:chr_file { execmod execute manage_chr_file_perms map mounton quotaon relabel_chr_file_perms }; diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if index e5645c7c5b..4db1fd773d 100644 --- a/policy/modules/kernel/terminal.if +++ b/policy/modules/kernel/terminal.if @@ -434,7 +434,7 @@ interface(`term_relabel_pty_fs',` ') dev_list_all_dev_nodes($1) - allow $1 devpts_t:filesystem { relabelto relabelfrom }; + allow $1 devpts_t:filesystem { relabelfrom relabelto }; ') ######################################## @@ -550,7 +550,7 @@ interface(`term_dontaudit_list_ptys',` type devpts_t; ') - dontaudit $1 devpts_t:dir { getattr search read }; + dontaudit $1 devpts_t:dir { getattr read search }; ') ######################################## @@ -725,7 +725,7 @@ interface(`term_dontaudit_use_generic_ptys',` type devpts_t; ') - dontaudit $1 devpts_t:chr_file { getattr read write ioctl }; + dontaudit $1 devpts_t:chr_file { getattr ioctl read write }; ') ####################################### diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te index 7f8940abfd..5cf55ae365 100644 --- a/policy/modules/services/abrt.te +++ b/policy/modules/services/abrt.te @@ -107,7 +107,7 @@ init_daemon_domain(abrt_upload_watch_t, abrt_upload_watch_exec_t) allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice }; dontaudit abrt_t self:capability sys_rawio; -allow abrt_t self:process { setpgid sigkill signal signull setsched getsched }; +allow abrt_t self:process { getsched setpgid setsched sigkill signal signull }; allow abrt_t self:fifo_file rw_fifo_file_perms; allow abrt_t self:tcp_socket { accept listen }; diff --git a/policy/modules/services/accountsd.te b/policy/modules/services/accountsd.te index 6a04d88062..67201ee68a 100644 --- a/policy/modules/services/accountsd.te +++ b/policy/modules/services/accountsd.te @@ -24,7 +24,7 @@ files_type(accountsd_var_lib_t) allow accountsd_t self:capability { chown dac_override setgid setuid sys_ptrace }; allow accountsd_t self:process signal; allow accountsd_t self:fifo_file rw_fifo_file_perms; -allow accountsd_t self:passwd { rootok passwd chfn chsh }; +allow accountsd_t self:passwd { chfn chsh passwd rootok }; manage_dirs_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t) manage_files_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t) diff --git a/policy/modules/services/acpi.te b/policy/modules/services/acpi.te index c4ca7f7f62..106bdee6bf 100644 --- a/policy/modules/services/acpi.te +++ b/policy/modules/services/acpi.te @@ -64,7 +64,7 @@ logging_send_syslog_msg(acpi_t) allow acpid_t self:capability { kill mknod sys_admin sys_nice sys_time }; dontaudit acpid_t self:capability { dac_override dac_read_search setuid sys_ptrace sys_tty_config }; -allow acpid_t self:process { signal_perms getsession }; +allow acpid_t self:process { getsession signal_perms }; allow acpid_t self:fifo_file rw_fifo_file_perms; allow acpid_t self:netlink_socket create_socket_perms; allow acpid_t self:netlink_generic_socket create_socket_perms; diff --git a/policy/modules/services/aisexec.te b/policy/modules/services/aisexec.te index 78b55081df..b01abea4e3 100644 --- a/policy/modules/services/aisexec.te +++ b/policy/modules/services/aisexec.te @@ -36,7 +36,7 @@ allow aisexec_t self:capability { ipc_lock ipc_owner sys_nice sys_resource }; allow aisexec_t self:process { setrlimit setsched signal }; allow aisexec_t self:fifo_file rw_fifo_file_perms; allow aisexec_t self:sem create_sem_perms; -allow aisexec_t self:unix_stream_socket { accept listen connectto }; +allow aisexec_t self:unix_stream_socket { accept connectto listen }; manage_dirs_pattern(aisexec_t, aisexec_tmp_t, aisexec_tmp_t) manage_files_pattern(aisexec_t, aisexec_tmp_t, aisexec_tmp_t) diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te index dd04c0f884..ca9ad59694 100644 --- a/policy/modules/services/amavis.te +++ b/policy/modules/services/amavis.te @@ -51,7 +51,7 @@ dontaudit amavis_t self:capability sys_tty_config; allow amavis_t self:process signal_perms; allow amavis_t self:fifo_file rw_fifo_file_perms; allow amavis_t self:unix_stream_socket { accept connectto listen }; -allow amavis_t self:tcp_socket { listen accept }; +allow amavis_t self:tcp_socket { accept listen }; allow amavis_t amavis_etc_t:dir list_dir_perms; read_files_pattern(amavis_t, amavis_etc_t, amavis_etc_t) diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if index 2b3a7f3c53..d272f286cc 100644 --- a/policy/modules/services/apache.if +++ b/policy/modules/services/apache.if @@ -61,8 +61,8 @@ template(`apache_content_template',` can_exec(httpd_$1_script_t, httpd_$1_script_exec_t) - allow httpd_$1_script_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms setattr_dir_perms }; - allow httpd_$1_script_t httpd_$1_ra_content_t:file { append_file_perms read_file_perms create_file_perms setattr_file_perms }; + allow httpd_$1_script_t httpd_$1_ra_content_t:dir { add_entry_dir_perms list_dir_perms setattr_dir_perms }; + allow httpd_$1_script_t httpd_$1_ra_content_t:file { append_file_perms create_file_perms read_file_perms setattr_file_perms }; allow httpd_$1_script_t httpd_$1_ra_content_t:lnk_file read_lnk_file_perms; allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_script_exec_t }:dir list_dir_perms; diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te index 5587583a14..2ef1e667cf 100644 --- a/policy/modules/services/apache.te +++ b/policy/modules/services/apache.te @@ -365,14 +365,14 @@ optional_policy(` allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config }; dontaudit httpd_t self:capability net_admin; -allow httpd_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; +allow httpd_t self:process { dyntransition getattr getcap getpgid getrlimit getsched getsession noatsecure rlimitinh setcap setkeycreate setpgid setsched setsockcreate share siginh signal_perms transition }; allow httpd_t self:fd use; allow httpd_t self:sock_file read_sock_file_perms; allow httpd_t self:fifo_file rw_fifo_file_perms; allow httpd_t self:shm create_shm_perms; allow httpd_t self:sem create_sem_perms; allow httpd_t self:msgq create_msgq_perms; -allow httpd_t self:msg { send receive }; +allow httpd_t self:msg { receive send }; allow httpd_t self:unix_dgram_socket sendto; allow httpd_t self:unix_stream_socket { accept connectto listen }; allow httpd_t self:tcp_socket { accept listen }; @@ -577,8 +577,8 @@ tunable_policy(`httpd_builtin_scripting',` allow httpd_t httpdcontent:file { map read_file_perms }; allow httpd_t httpdcontent:lnk_file read_lnk_file_perms; - allow httpd_t httpd_ra_content:dir { list_dir_perms add_entry_dir_perms setattr_dir_perms }; - allow httpd_t httpd_ra_content:file { append_file_perms read_file_perms create_file_perms setattr_file_perms }; + allow httpd_t httpd_ra_content:dir { add_entry_dir_perms list_dir_perms setattr_dir_perms }; + allow httpd_t httpd_ra_content:file { append_file_perms create_file_perms read_file_perms setattr_file_perms }; allow httpd_t httpd_ra_content:lnk_file read_lnk_file_perms; manage_dirs_pattern(httpd_t, httpd_rw_content, httpd_rw_content) @@ -593,7 +593,7 @@ tunable_policy(`httpd_builtin_scripting && httpd_tmp_exec',` ') tunable_policy(`httpd_enable_cgi',` - allow httpd_t httpd_script_domains:process { signal sigkill sigstop }; + allow httpd_t httpd_script_domains:process { sigkill signal sigstop }; allow httpd_t httpd_script_exec_type:dir list_dir_perms; allow httpd_t httpd_script_exec_type:lnk_file read_lnk_file_perms; ') @@ -1221,11 +1221,11 @@ optional_policy(` # allow httpd_sys_script_t self:tcp_socket { accept listen }; -allow httpd_sys_script_t self:unix_dgram_socket { create connect connected_socket_perms }; +allow httpd_sys_script_t self:unix_dgram_socket { connect connected_socket_perms create }; allow httpd_sys_script_t httpd_t:tcp_socket { read write }; -allow httpd_sys_script_t httpd_t:unix_stream_socket { read write ioctl }; +allow httpd_sys_script_t httpd_t:unix_stream_socket { ioctl read write }; dontaudit httpd_sys_script_t httpd_config_t:dir search; diff --git a/policy/modules/services/asterisk.te b/policy/modules/services/asterisk.te index 3cf98e59da..86597222a3 100644 --- a/policy/modules/services/asterisk.te +++ b/policy/modules/services/asterisk.te @@ -41,7 +41,7 @@ files_type(asterisk_var_lib_t) allow asterisk_t self:capability { chown dac_override net_admin setgid setuid sys_nice }; dontaudit asterisk_t self:capability { sys_module sys_tty_config }; -allow asterisk_t self:process { getsched setsched signal_perms getcap setcap }; +allow asterisk_t self:process { getcap getsched setcap setsched signal_perms }; allow asterisk_t self:fifo_file rw_fifo_file_perms; allow asterisk_t self:sem create_sem_perms; allow asterisk_t self:shm create_shm_perms; diff --git a/policy/modules/services/automount.te b/policy/modules/services/automount.te index 440ed1c06d..6fde03b2b6 100644 --- a/policy/modules/services/automount.te +++ b/policy/modules/services/automount.te @@ -35,7 +35,7 @@ init_unit_file(automount_unit_t) allow automount_t self:capability { dac_override setgid setuid sys_admin sys_nice sys_resource }; dontaudit automount_t self:capability sys_tty_config; -allow automount_t self:process { signal_perms getpgid setpgid setsched setrlimit }; +allow automount_t self:process { getpgid setpgid setrlimit setsched signal_perms }; allow automount_t self:fifo_file rw_fifo_file_perms; allow automount_t self:tcp_socket { accept listen }; allow automount_t self:rawip_socket create_socket_perms; diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te index 1094e39db6..5cdfa08a4e 100644 --- a/policy/modules/services/avahi.te +++ b/policy/modules/services/avahi.te @@ -29,7 +29,7 @@ files_runtime_file(avahi_var_lib_t) allow avahi_t self:capability { chown dac_override fowner kill net_admin net_raw setgid setuid sys_chroot }; dontaudit avahi_t self:capability sys_tty_config; -allow avahi_t self:process { setrlimit signal_perms getcap setcap }; +allow avahi_t self:process { getcap setcap setrlimit signal_perms }; allow avahi_t self:fifo_file rw_fifo_file_perms; allow avahi_t self:unix_stream_socket { accept connectto listen }; allow avahi_t self:tcp_socket { accept listen }; diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te index 37f2fdd1ff..0db949185d 100644 --- a/policy/modules/services/bind.te +++ b/policy/modules/services/bind.te @@ -76,7 +76,7 @@ role ndc_roles types ndc_t; allow named_t self:capability { chown dac_override fowner setgid setuid sys_chroot sys_nice sys_resource }; dontaudit named_t self:capability sys_tty_config; -allow named_t self:process { setsched getsched getcap setcap setrlimit signal_perms }; +allow named_t self:process { getcap getsched setcap setrlimit setsched signal_perms }; allow named_t self:fifo_file rw_fifo_file_perms; allow named_t self:unix_stream_socket { accept listen }; allow named_t self:tcp_socket { accept listen }; @@ -217,7 +217,7 @@ optional_policy(` allow ndc_t self:capability { dac_override dac_read_search net_admin }; allow ndc_t self:capability2 block_suspend; -allow ndc_t self:process { signal_perms getsched setsched }; +allow ndc_t self:process { getsched setsched signal_perms }; allow ndc_t self:fifo_file rw_fifo_file_perms; allow ndc_t self:unix_stream_socket { accept listen }; diff --git a/policy/modules/services/bird.te b/policy/modules/services/bird.te index 68ae92f94c..5edb015faf 100644 --- a/policy/modules/services/bird.te +++ b/policy/modules/services/bird.te @@ -30,12 +30,12 @@ allow bird_t self:capability { net_admin net_raw }; allow bird_t self:netlink_route_socket create_netlink_socket_perms; allow bird_t self:tcp_socket create_stream_socket_perms; allow bird_t self:unix_stream_socket create_stream_socket_perms; -allow bird_t self:rawip_socket { create read write setopt }; +allow bird_t self:rawip_socket { create read setopt write }; allow bird_t bird_etc_t:file read_file_perms; allow bird_t bird_etc_t:dir list_dir_perms; -allow bird_t bird_log_t:file { create_file_perms append_file_perms setattr_file_perms }; +allow bird_t bird_log_t:file { append_file_perms create_file_perms setattr_file_perms }; logging_log_filetrans(bird_t, bird_log_t, file) allow bird_t bird_runtime_t:sock_file manage_sock_file_perms; diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te index 0cbff07141..909e98daa1 100644 --- a/policy/modules/services/bluetooth.te +++ b/policy/modules/services/bluetooth.te @@ -53,7 +53,7 @@ files_type(bluetooth_var_lib_t) allow bluetooth_t self:capability { dac_override ipc_lock net_admin net_bind_service net_raw setpcap sys_admin sys_tty_config }; dontaudit bluetooth_t self:capability sys_tty_config; -allow bluetooth_t self:process { getcap setcap getsched signal_perms }; +allow bluetooth_t self:process { getcap getsched setcap signal_perms }; allow bluetooth_t self:fifo_file rw_fifo_file_perms; allow bluetooth_t self:shm create_shm_perms; allow bluetooth_t self:socket create_stream_socket_perms; diff --git a/policy/modules/services/boinc.te b/policy/modules/services/boinc.te index cae4a35b96..2e225e05d4 100644 --- a/policy/modules/services/boinc.te +++ b/policy/modules/services/boinc.te @@ -47,7 +47,7 @@ files_tmp_file(boinc_project_tmp_t) # Local policy # -allow boinc_t self:process { setsched setpgid signull sigkill signal }; +allow boinc_t self:process { setpgid setsched sigkill signal signull }; allow boinc_t self:unix_stream_socket { accept listen }; allow boinc_t self:tcp_socket { accept listen }; allow boinc_t self:shm create_shm_perms; @@ -142,7 +142,7 @@ miscfiles_read_generic_certs(boinc_t) miscfiles_read_localization(boinc_t) tunable_policy(`boinc_execmem',` - allow boinc_t self:process { execstack execmem }; + allow boinc_t self:process { execmem execstack }; ') optional_policy(` @@ -166,7 +166,7 @@ optional_policy(` # allow boinc_project_t self:capability { setgid setuid }; -allow boinc_project_t self:process { execmem execstack noatsecure ptrace setcap getcap setpgid setsched signal_perms }; +allow boinc_project_t self:process { execmem execstack getcap noatsecure ptrace setcap setpgid setsched signal_perms }; manage_dirs_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t) manage_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t) diff --git a/policy/modules/services/cgmanager.te b/policy/modules/services/cgmanager.te index a9cc809924..7dd306968f 100644 --- a/policy/modules/services/cgmanager.te +++ b/policy/modules/services/cgmanager.te @@ -20,7 +20,7 @@ files_runtime_file(cgmanager_run_t) # CGManager local policy # -allow cgmanager_t self:capability { sys_admin dac_override }; +allow cgmanager_t self:capability { dac_override sys_admin }; allow cgmanager_t self:fifo_file rw_fifo_file_perms; manage_dirs_pattern(cgmanager_t, cgmanager_cgroup_t, cgmanager_cgroup_t) diff --git a/policy/modules/services/cgroup.te b/policy/modules/services/cgroup.te index 400bcb73ee..252454493b 100644 --- a/policy/modules/services/cgroup.te +++ b/policy/modules/services/cgroup.te @@ -78,8 +78,8 @@ fs_unmount_cgroup(cgconfig_t) # allow cgred_t self:capability { chown dac_override fsetid net_admin sys_admin sys_ptrace }; -allow cgred_t self:netlink_socket { write bind create read }; -allow cgred_t self:unix_dgram_socket { write create connect }; +allow cgred_t self:netlink_socket { bind create read write }; +allow cgred_t self:unix_dgram_socket { connect create write }; allow cgred_t cgrules_etc_t:file read_file_perms; diff --git a/policy/modules/services/chronyd.if b/policy/modules/services/chronyd.if index 2e5130b1a9..4c26a68c4a 100644 --- a/policy/modules/services/chronyd.if +++ b/policy/modules/services/chronyd.if @@ -254,11 +254,11 @@ interface(`chronyd_read_key_files',` interface(`chronyd_enabledisable',` gen_require(` type chronyd_unit_t; - class service { enable disable }; + class service { disable enable }; ') chronyd_status($1) - allow $1 chronyd_unit_t:service { enable disable }; + allow $1 chronyd_unit_t:service { disable enable }; ') ######################################## diff --git a/policy/modules/services/clamav.if b/policy/modules/services/clamav.if index f59ce107c2..0aed813343 100644 --- a/policy/modules/services/clamav.if +++ b/policy/modules/services/clamav.if @@ -307,10 +307,10 @@ interface(`clamav_exec_freshclam',` interface(`clamav_enabledisable_clamd',` gen_require(` type clamd_unit_t; - class service { enable disable }; + class service { disable enable }; ') - allow $1 clamd_unit_t:service { enable disable }; + allow $1 clamd_unit_t:service { disable enable }; ') ######################################## diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te index a9476a5612..51b9c0692b 100644 --- a/policy/modules/services/clamav.te +++ b/policy/modules/services/clamav.te @@ -73,12 +73,12 @@ logging_log_file(freshclam_var_log_t) # Clamd local policy # -allow clamd_t self:capability { chown fowner fsetid kill setgid setuid dac_override }; +allow clamd_t self:capability { chown dac_override fowner fsetid kill setgid setuid }; dontaudit clamd_t self:capability sys_tty_config; -allow clamd_t self:process { signal getsched }; +allow clamd_t self:process { getsched signal }; allow clamd_t self:fifo_file rw_fifo_file_perms; allow clamd_t self:unix_stream_socket { accept connectto listen }; -allow clamd_t self:tcp_socket { listen accept }; +allow clamd_t self:tcp_socket { accept listen }; allow clamd_t clamd_etc_t:dir list_dir_perms; read_files_pattern(clamd_t, clamd_etc_t, clamd_etc_t) diff --git a/policy/modules/services/cockpit.if b/policy/modules/services/cockpit.if index bde2bfad5b..b79854374c 100644 --- a/policy/modules/services/cockpit.if +++ b/policy/modules/services/cockpit.if @@ -49,7 +49,7 @@ template(`cockpit_role_template',` files_tmpfs_file($1_cockpit_tmpfs_t) dev_filetrans($2, $1_cockpit_tmpfs_t, file) - allow $2 $1_cockpit_tmpfs_t:file { mmap_manage_file_perms execute }; + allow $2 $1_cockpit_tmpfs_t:file { execute mmap_manage_file_perms }; dev_dontaudit_execute_dev_nodes($2) @@ -122,11 +122,11 @@ interface(`cockpit_get_service_status',` interface(`cockpit_enabledisable',` gen_require(` type cockpit_unit_t; - class service { enable disable }; + class service { disable enable }; ') cockpit_get_service_status($1) - allow $1 cockpit_unit_t:service { enable disable }; + allow $1 cockpit_unit_t:service { disable enable }; ') ######################################## diff --git a/policy/modules/services/cockpit.te b/policy/modules/services/cockpit.te index eb2cd38120..47d7d92320 100644 --- a/policy/modules/services/cockpit.te +++ b/policy/modules/services/cockpit.te @@ -59,7 +59,7 @@ cockpit_domtrans_session(cockpit_ws_t) allow cockpit_ws_t cockpit_session_t:process signal_perms; # cockpit-tls and cockpit-ws communicate over a Unix socket -allow cockpit_ws_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow cockpit_ws_t self:unix_stream_socket { connectto create_stream_socket_perms }; allow cockpit_ws_t cockpit_cert_t:file unlink; @@ -150,8 +150,8 @@ optional_policy(` # # cockpit-session changes to the actual logged in user -allow cockpit_session_t self:capability { sys_admin dac_read_search dac_override setuid setgid sys_resource}; -allow cockpit_session_t self:process { setexec setsched signal_perms setrlimit }; +allow cockpit_session_t self:capability { dac_override dac_read_search setgid setuid sys_admin sys_resource }; +allow cockpit_session_t self:process { setexec setrlimit setsched signal_perms }; allow cockpit_session_t self:fifo_file rw_inherited_fifo_file_perms; # cockpit-session communicates back with cockpit-ws @@ -228,7 +228,7 @@ optional_policy(` # cockpit-certificate-ensure policy # -allow cockpit_cert_manage_t self:capability { chown dac_read_search dac_override }; +allow cockpit_cert_manage_t self:capability { chown dac_override dac_read_search }; allow cockpit_cert_manage_t self:fifo_file rw_inherited_fifo_file_perms; allow cockpit_cert_manage_t self:process setfscreate; allow cockpit_cert_manage_t self:unix_stream_socket { connect create }; diff --git a/policy/modules/services/container.if b/policy/modules/services/container.if index 009fffc4a4..ceb9de817a 100644 --- a/policy/modules/services/container.if +++ b/policy/modules/services/container.if @@ -644,7 +644,7 @@ interface(`container_manage_all_containers',` attribute container_domain; ') - allow $1 container_domain:process { getattr getsched setsched transition signal signull sigkill }; + allow $1 container_domain:process { getattr getsched setsched sigkill signal signull transition }; ') ######################################## @@ -2730,7 +2730,7 @@ interface(`container_admin',` allow $1 container_engine_domain:process { ptrace signal_perms }; ps_process_pattern($1, container_engine_domain) - allow $1 self:cap_userns { kill sys_ptrace sys_admin }; + allow $1 self:cap_userns { kill sys_admin sys_ptrace }; files_search_var_lib($1) admin_pattern($1, container_var_lib_t) diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te index 095308a13f..98368d5c8f 100644 --- a/policy/modules/services/container.te +++ b/policy/modules/services/container.te @@ -286,15 +286,15 @@ corenet_port(container_port_t) dontaudit container_domain self:capability fsetid; dontaudit container_domain self:capability2 block_suspend; allow container_domain self:cap_userns { chown dac_override dac_read_search fowner kill setgid setuid }; -allow container_domain self:process { execstack execmem getattr getcap getsched getsession setsched setcap setpgid signal_perms }; +allow container_domain self:process { execmem execstack getattr getcap getsched getsession setcap setpgid setsched signal_perms }; allow container_domain self:dir rw_dir_perms; allow container_domain self:file create_file_perms; allow container_domain self:fifo_file manage_fifo_file_perms; allow container_domain self:sem create_sem_perms; allow container_domain self:shm create_shm_perms; allow container_domain self:msgq create_msgq_perms; -allow container_domain self:unix_stream_socket { create_stream_socket_perms connectto }; -allow container_domain self:unix_dgram_socket { sendto create_socket_perms }; +allow container_domain self:unix_stream_socket { connectto create_stream_socket_perms }; +allow container_domain self:unix_dgram_socket { create_socket_perms sendto }; manage_dirs_pattern(container_domain, container_file_t, container_file_t) manage_files_pattern(container_domain, container_file_t, container_file_t) @@ -304,7 +304,7 @@ manage_fifo_files_pattern(container_domain, container_file_t, container_file_t) rw_chr_files_pattern(container_domain, container_file_t, container_file_t) rw_blk_files_pattern(container_domain, container_file_t, container_file_t) allow container_domain container_file_t:dir_file_class_set watch; -allow container_domain container_file_t:file { relabel_file_perms entrypoint map }; +allow container_domain container_file_t:file { entrypoint map relabel_file_perms }; allow container_domain container_file_t:chr_file map; allow container_domain container_ro_file_t:blk_file read_blk_file_perms; @@ -551,9 +551,9 @@ userdom_use_user_ptys(container_t) tunable_policy(`container_use_host_all_caps',` # omitted sys_module - allow container_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap }; + allow container_t self:capability { audit_control audit_write chown dac_override dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable mknod net_admin net_bind_service net_broadcast net_raw setfcap setgid setpcap setuid sys_admin sys_boot sys_chroot sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config }; # omitted mac_admin, mac_override - allow container_t self:capability2 { syslog wake_alarm block_suspend audit_read perfmon bpf checkpoint_restore }; + allow container_t self:capability2 { audit_read block_suspend bpf checkpoint_restore perfmon syslog wake_alarm }; ') tunable_policy(`container_use_mknod',` @@ -566,9 +566,9 @@ tunable_policy(`container_use_sysadmin',` tunable_policy(`container_use_userns_all_caps',` # omitted sys_module - allow container_t self:cap_userns { chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap }; + allow container_t self:cap_userns { audit_control audit_write chown dac_override dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable mknod net_admin net_bind_service net_broadcast net_raw setfcap setgid setpcap setuid sys_admin sys_boot sys_chroot sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config }; # omitted mac_admin, mac_override - allow container_t self:cap2_userns { syslog wake_alarm block_suspend audit_read perfmon bpf checkpoint_restore }; + allow container_t self:cap2_userns { audit_read block_suspend bpf checkpoint_restore perfmon syslog wake_alarm }; ') tunable_policy(`container_use_userns_mknod || container_use_mknod',` @@ -588,19 +588,19 @@ optional_policy(` # Common container engine local policy # -allow container_engine_domain self:process { getcap setcap getsched setsched getrlimit setrlimit rlimitinh noatsecure setexec setkeycreate setpgid siginh transition fork signal_perms }; -allow container_engine_domain self:capability { chown dac_override dac_read_search fowner fsetid kill mknod net_admin net_raw setfcap setpcap setgid setuid sys_admin sys_chroot sys_ptrace sys_resource }; +allow container_engine_domain self:process { fork getcap getrlimit getsched noatsecure rlimitinh setcap setexec setkeycreate setpgid setrlimit setsched siginh signal_perms transition }; +allow container_engine_domain self:capability { chown dac_override dac_read_search fowner fsetid kill mknod net_admin net_raw setfcap setgid setpcap setuid sys_admin sys_chroot sys_ptrace sys_resource }; allow container_engine_domain self:capability2 { bpf perfmon }; allow container_engine_domain self:bpf { map_create map_read map_write prog_load prog_run }; allow container_engine_domain self:cap_userns { audit_write chown dac_override dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable mknod net_admin net_bind_service net_raw setfcap setgid setpcap setuid sys_admin sys_boot sys_chroot sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config }; -allow container_engine_domain self:cap2_userns { audit_read bpf block_suspend perfmon syslog wake_alarm }; +allow container_engine_domain self:cap2_userns { audit_read block_suspend bpf perfmon syslog wake_alarm }; allow container_engine_domain self:bpf { map_create map_read map_write prog_load prog_run }; allow container_engine_domain self:fd use; allow container_engine_domain self:user_namespace create; allow container_engine_domain self:fifo_file manage_fifo_file_perms; allow container_engine_domain self:tcp_socket create_stream_socket_perms; allow container_engine_domain self:udp_socket create_socket_perms; -allow container_engine_domain self:unix_stream_socket { create_stream_socket_perms connectto }; +allow container_engine_domain self:unix_stream_socket { connectto create_stream_socket_perms }; allow container_engine_domain self:unix_dgram_socket { create_socket_perms sendto }; allow container_engine_domain self:icmp_socket create_socket_perms; allow container_engine_domain self:netlink_route_socket create_netlink_socket_perms; @@ -742,7 +742,7 @@ allow container_engine_domain container_engine_tmp_t:sock_file manage_sock_file_ files_tmp_filetrans(container_engine_domain, container_engine_tmp_t, { dir file sock_file }) allow container_engine_domain container_engine_tmpfs_t:dir { manage_dir_perms relabel_dir_perms }; -allow container_engine_domain container_engine_tmpfs_t:file { manage_file_perms relabel_file_perms exec_file_perms }; +allow container_engine_domain container_engine_tmpfs_t:file { exec_file_perms manage_file_perms relabel_file_perms }; allow container_engine_domain container_engine_tmpfs_t:blk_file { manage_blk_file_perms relabel_blk_file_perms }; allow container_engine_domain container_engine_tmpfs_t:chr_file { manage_chr_file_perms relabel_chr_file_perms }; allow container_engine_domain container_engine_tmpfs_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; @@ -754,16 +754,16 @@ manage_files_pattern(container_engine_domain, container_engine_lock_t, container files_lock_filetrans(container_engine_domain, container_engine_lock_t, { dir file }) allow container_engine_domain container_file_t:dir { manage_dir_perms relabel_dir_perms }; -allow container_engine_domain container_file_t:file { manage_file_perms relabel_file_perms exec_file_perms }; +allow container_engine_domain container_file_t:file { exec_file_perms manage_file_perms relabel_file_perms }; allow container_engine_domain container_file_t:blk_file { manage_blk_file_perms relabel_blk_file_perms }; allow container_engine_domain container_file_t:chr_file { manage_chr_file_perms relabel_chr_file_perms }; allow container_engine_domain container_file_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; allow container_engine_domain container_file_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; allow container_engine_domain container_file_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; -allow container_engine_domain container_file_t:filesystem { getattr relabelfrom relabelto mount unmount remount }; +allow container_engine_domain container_file_t:filesystem { getattr mount relabelfrom relabelto remount unmount }; allow container_engine_domain container_ro_file_t:dir { manage_dir_perms relabel_dir_perms }; -allow container_engine_domain container_ro_file_t:file { manage_file_perms relabel_file_perms exec_file_perms }; +allow container_engine_domain container_ro_file_t:file { exec_file_perms manage_file_perms relabel_file_perms }; allow container_engine_domain container_ro_file_t:blk_file { manage_blk_file_perms relabel_blk_file_perms }; allow container_engine_domain container_ro_file_t:chr_file { manage_chr_file_perms relabel_chr_file_perms }; allow container_engine_domain container_ro_file_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; @@ -845,7 +845,7 @@ manage_files_pattern(container_engine_system_domain, container_log_t, container_ logging_log_filetrans(container_engine_system_domain, container_log_t, { dir file }) allow container_engine_system_domain container_var_lib_t:dir { manage_dir_perms relabel_dir_perms watch }; -allow container_engine_system_domain container_var_lib_t:file { manage_file_perms relabel_file_perms exec_file_perms }; +allow container_engine_system_domain container_var_lib_t:file { exec_file_perms manage_file_perms relabel_file_perms }; allow container_engine_system_domain container_var_lib_t:blk_file { manage_blk_file_perms relabel_blk_file_perms }; allow container_engine_system_domain container_var_lib_t:chr_file { manage_chr_file_perms relabel_chr_file_perms }; allow container_engine_system_domain container_var_lib_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; @@ -918,7 +918,7 @@ allow container_engine_user_domain container_conf_home_t:file manage_file_perms; xdg_config_filetrans(container_engine_user_domain, container_conf_home_t, dir) allow container_engine_user_domain container_data_home_t:dir { manage_dir_perms relabel_dir_perms watch }; -allow container_engine_user_domain container_data_home_t:file { manage_file_perms relabel_file_perms exec_file_perms }; +allow container_engine_user_domain container_data_home_t:file { exec_file_perms manage_file_perms relabel_file_perms }; allow container_engine_user_domain container_data_home_t:chr_file { manage_chr_file_perms relabel_chr_file_perms }; allow container_engine_user_domain container_data_home_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; allow container_engine_user_domain container_data_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; diff --git a/policy/modules/services/couchdb.te b/policy/modules/services/couchdb.te index 5416c537ed..053920ccb5 100644 --- a/policy/modules/services/couchdb.te +++ b/policy/modules/services/couchdb.te @@ -37,7 +37,7 @@ files_type(couchdb_var_lib_t) # couchdb policy # -allow couchdb_t self:process { getsched setsched signal signull sigkill }; +allow couchdb_t self:process { getsched setsched sigkill signal signull }; allow couchdb_t self:fifo_file rw_fifo_file_perms; allow couchdb_t self:unix_stream_socket create_stream_socket_perms; allow couchdb_t self:tcp_socket { accept listen }; diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if index e60479fdf9..eef6a2d032 100644 --- a/policy/modules/services/cron.if +++ b/policy/modules/services/cron.if @@ -180,7 +180,7 @@ template(`cron_unconfined_role',` domtrans_pattern($2, crontab_exec_t, crontab_t) - dontaudit crond_t $2:process { noatsecure siginh rlimitinh }; + dontaudit crond_t $2:process { noatsecure rlimitinh siginh }; allow $2 crond_t:process sigchld; allow $2 user_cron_spool_t:file rw_inherited_file_perms; @@ -273,7 +273,7 @@ template(`cron_admin_role',` domtrans_pattern($2, crontab_exec_t, admin_crontab_t) - dontaudit crond_t $2:process { noatsecure siginh rlimitinh }; + dontaudit crond_t $2:process { noatsecure rlimitinh siginh }; allow $2 crond_t:process sigchld; allow $2 user_cron_spool_t:file rw_inherited_file_perms; diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te index a6fbd30e1a..9b81dac717 100644 --- a/policy/modules/services/cron.te +++ b/policy/modules/services/cron.te @@ -206,7 +206,7 @@ allow crond_t self:capability { chown dac_override dac_read_search fowner setgid # net_admin for changing buffer sizes dontaudit crond_t self:capability { net_admin sys_resource sys_tty_config }; -allow crond_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; +allow crond_t self:process { dyntransition getattr getcap getpgid getrlimit getsched getsession noatsecure rlimitinh setcap setexec setfscreate setkeycreate setpgid setrlimit setsched setsockcreate share siginh signal_perms transition }; allow crond_t self:fd use; allow crond_t self:fifo_file rw_fifo_file_perms; allow crond_t self:unix_dgram_socket sendto; @@ -214,8 +214,8 @@ allow crond_t self:unix_stream_socket { accept connectto listen }; allow crond_t self:shm create_shm_perms; allow crond_t self:sem create_sem_perms; allow crond_t self:msgq create_msgq_perms; -allow crond_t self:msg { send receive }; -allow crond_t self:key { search write link }; +allow crond_t self:msg { receive send }; +allow crond_t self:key { link search write }; dontaudit crond_t self:netlink_audit_socket nlmsg_tty_audit; allow crond_t cron_log_t:file { append_file_perms create_file_perms setattr_file_perms }; @@ -247,7 +247,7 @@ allow crond_t system_cronjob_t:process transition; allow crond_t system_cronjob_t:fd use; allow crond_t system_cronjob_t:key manage_key_perms; -dontaudit crond_t { cronjob_t system_cronjob_t }:process { noatsecure siginh rlimitinh }; +dontaudit crond_t { cronjob_t system_cronjob_t }:process { noatsecure rlimitinh siginh }; domtrans_pattern(crond_t, anacron_exec_t, system_cronjob_t) @@ -443,7 +443,7 @@ optional_policy(` # allow system_cronjob_t self:capability { chown dac_override dac_read_search fowner fsetid net_admin net_bind_service setgid setuid sys_nice sys_resource }; -allow system_cronjob_t self:process { signal_perms getsched setsched setrlimit }; +allow system_cronjob_t self:process { getsched setrlimit setsched signal_perms }; allow system_cronjob_t self:fd use; allow system_cronjob_t self:fifo_file rw_fifo_file_perms; allow system_cronjob_t self:passwd rootok; @@ -691,7 +691,7 @@ optional_policy(` # Cronjob local policy # -allow cronjob_t self:process { signal_perms setsched }; +allow cronjob_t self:process { setsched signal_perms }; allow cronjob_t self:fifo_file rw_fifo_file_perms; allow cronjob_t self:unix_stream_socket create_stream_socket_perms; allow cronjob_t self:unix_dgram_socket create_socket_perms; @@ -774,7 +774,7 @@ type unconfined_cronjob_t; domain_type(unconfined_cronjob_t) domain_cron_exemption_target(unconfined_cronjob_t) -dontaudit crond_t unconfined_cronjob_t:process { noatsecure siginh rlimitinh }; +dontaudit crond_t unconfined_cronjob_t:process { noatsecure rlimitinh siginh }; tunable_policy(`cron_userdomain_transition',` dontaudit crond_t unconfined_cronjob_t:process transition; diff --git a/policy/modules/services/ctdb.te b/policy/modules/services/ctdb.te index 4326ba5ff1..8884364ec5 100644 --- a/policy/modules/services/ctdb.te +++ b/policy/modules/services/ctdb.te @@ -33,7 +33,7 @@ files_type(ctdbd_var_lib_t) # allow ctdbd_t self:capability { chown ipc_lock net_admin net_raw sys_nice }; -allow ctdbd_t self:process { setpgid signal_perms setsched }; +allow ctdbd_t self:process { setpgid setsched signal_perms }; allow ctdbd_t self:fifo_file rw_fifo_file_perms; allow ctdbd_t self:unix_stream_socket { accept connectto listen }; allow ctdbd_t self:netlink_route_socket r_netlink_socket_perms; diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te index 136953edc8..92efa18987 100644 --- a/policy/modules/services/cups.te +++ b/policy/modules/services/cups.te @@ -141,7 +141,7 @@ manage_sock_files_pattern(cupsd_t, cupsd_runtime_t, cupsd_runtime_t) manage_fifo_files_pattern(cupsd_t, cupsd_runtime_t, cupsd_runtime_t) files_runtime_filetrans(cupsd_t, cupsd_runtime_t, { dir fifo_file file }) -allow cupsd_t hplip_t:process { signal sigkill }; +allow cupsd_t hplip_t:process { sigkill signal }; read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t) diff --git a/policy/modules/services/cyrus.te b/policy/modules/services/cyrus.te index 97fe6c8683..40bae5b358 100644 --- a/policy/modules/services/cyrus.te +++ b/policy/modules/services/cyrus.te @@ -31,7 +31,7 @@ files_type(cyrus_var_lib_t) allow cyrus_t self:capability { dac_override setgid setuid sys_resource }; dontaudit cyrus_t self:capability sys_tty_config; -allow cyrus_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; +allow cyrus_t self:process { dyntransition getattr getcap getpgid getrlimit getsched getsession noatsecure rlimitinh setcap setkeycreate setpgid setsched setsockcreate share siginh signal_perms transition }; allow cyrus_t self:process setrlimit; allow cyrus_t self:fd use; allow cyrus_t self:fifo_file rw_fifo_file_perms; @@ -39,7 +39,7 @@ allow cyrus_t self:sock_file read_sock_file_perms; allow cyrus_t self:shm create_shm_perms; allow cyrus_t self:sem create_sem_perms; allow cyrus_t self:msgq create_msgq_perms; -allow cyrus_t self:msg { send receive }; +allow cyrus_t self:msg { receive send }; allow cyrus_t self:unix_dgram_socket sendto; allow cyrus_t self:unix_stream_socket { accept connectto listen }; allow cyrus_t self:tcp_socket { accept listen }; diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if index d13a53a525..7534df7334 100644 --- a/policy/modules/services/dbus.if +++ b/policy/modules/services/dbus.if @@ -59,7 +59,7 @@ interface(`dbus_exec',` # template(`dbus_role_template',` gen_require(` - class dbus { send_msg acquire_svc }; + class dbus { acquire_svc send_msg }; attribute session_bus_type; type system_dbusd_t, dbusd_exec_t; type session_dbusd_tmp_t, session_dbusd_home_t; @@ -86,14 +86,14 @@ template(`dbus_role_template',` # Local policy # - allow $3 $1_dbusd_t:unix_stream_socket { create_stream_socket_perms connectto }; - allow $3 $1_dbusd_t:dbus { send_msg acquire_svc }; + allow $3 $1_dbusd_t:unix_stream_socket { connectto create_stream_socket_perms }; + allow $3 $1_dbusd_t:dbus { acquire_svc send_msg }; allow $3 $1_dbusd_t:fd use; dontaudit $1_dbusd_t self:process getcap; dontaudit $1_dbusd_t self:cap_userns sys_ptrace; - allow $3 system_dbusd_t:dbus { send_msg acquire_svc }; + allow $3 system_dbusd_t:dbus { acquire_svc send_msg }; dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write }; allow $3 { session_dbusd_home_t session_dbusd_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te index 855ce86bdb..672aeddf4b 100644 --- a/policy/modules/services/dbus.te +++ b/policy/modules/services/dbus.te @@ -100,11 +100,11 @@ ifdef(`enable_mls',` allow system_dbusd_t self:capability { dac_override setgid setpcap setuid sys_resource }; # net_admin for changing buffer sizes dontaudit system_dbusd_t self:capability { net_admin sys_tty_config }; -allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap setrlimit }; +allow system_dbusd_t self:process { getattr getcap getsched setcap setpgid setrlimit signal_perms }; allow system_dbusd_t self:fifo_file rw_fifo_file_perms; -allow system_dbusd_t self:dbus { send_msg acquire_svc }; -allow system_dbusd_t self:unix_stream_socket { create_stream_socket_perms connectto }; -allow system_dbusd_t self:netlink_selinux_socket { create bind read }; +allow system_dbusd_t self:dbus { acquire_svc send_msg }; +allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms }; +allow system_dbusd_t self:netlink_selinux_socket { bind create read }; allow system_dbusd_t dbusd_etc_t:dir { list_dir_perms watch }; read_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t) @@ -299,7 +299,7 @@ allow session_bus_type self:process { getattr sigkill signal }; dontaudit session_bus_type self:process { ptrace setrlimit }; allow session_bus_type self:file rw_inherited_file_perms; allow session_bus_type self:fifo_file rw_fifo_file_perms; -allow session_bus_type self:dbus { send_msg acquire_svc }; +allow session_bus_type self:dbus { acquire_svc send_msg }; allow session_bus_type self:unix_stream_socket { accept listen }; allow session_bus_type self:netlink_selinux_socket create_socket_perms; diff --git a/policy/modules/services/devicekit.if b/policy/modules/services/devicekit.if index 58c82ab1f0..8c76a5e415 100644 --- a/policy/modules/services/devicekit.if +++ b/policy/modules/services/devicekit.if @@ -155,7 +155,7 @@ interface(`devicekit_append_inherited_log_files',` ') logging_search_logs($1) - allow $1 devicekit_var_log_t:file { getattr_file_perms append }; + allow $1 devicekit_var_log_t:file { append getattr_file_perms }; devicekit_use_fds_power($1) ') diff --git a/policy/modules/services/dictd.te b/policy/modules/services/dictd.te index a286f7dee1..29b0717585 100644 --- a/policy/modules/services/dictd.te +++ b/policy/modules/services/dictd.te @@ -28,7 +28,7 @@ files_type(dictd_var_lib_t) allow dictd_t self:capability { setgid setuid }; dontaudit dictd_t self:capability sys_tty_config; -allow dictd_t self:process { signal_perms setpgid }; +allow dictd_t self:process { setpgid signal_perms }; allow dictd_t self:unix_stream_socket { accept listen }; allow dictd_t self:tcp_socket { accept listen }; diff --git a/policy/modules/services/dirmngr.te b/policy/modules/services/dirmngr.te index 0f7faf558a..1c8389722e 100644 --- a/policy/modules/services/dirmngr.te +++ b/policy/modules/services/dirmngr.te @@ -44,7 +44,7 @@ allow dirmngr_t dirmngr_conf_t:file read_file_perms; allow dirmngr_t dirmngr_conf_t:lnk_file read_lnk_file_perms; manage_files_pattern(dirmngr_t, dirmngr_home_t, dirmngr_home_t) -allow dirmngr_t dirmngr_home_t:dir { create_dir_perms add_entry_dir_perms list_dir_perms }; +allow dirmngr_t dirmngr_home_t:dir { add_entry_dir_perms create_dir_perms list_dir_perms }; manage_dirs_pattern(dirmngr_t, dirmngr_log_t, dirmngr_log_t) append_files_pattern(dirmngr_t, dirmngr_log_t, dirmngr_log_t) diff --git a/policy/modules/services/distcc.te b/policy/modules/services/distcc.te index b5ba7113a4..3fbebbb9ae 100644 --- a/policy/modules/services/distcc.te +++ b/policy/modules/services/distcc.te @@ -28,7 +28,7 @@ files_tmp_file(distccd_tmp_t) allow distccd_t self:capability { setgid setuid }; dontaudit distccd_t self:capability sys_tty_config; -allow distccd_t self:process { signal_perms setsched }; +allow distccd_t self:process { setsched signal_perms }; allow distccd_t self:fifo_file rw_fifo_file_perms; allow distccd_t self:tcp_socket { accept listen }; diff --git a/policy/modules/services/dkim.te b/policy/modules/services/dkim.te index e960818da7..d5c77e1aec 100644 --- a/policy/modules/services/dkim.te +++ b/policy/modules/services/dkim.te @@ -23,8 +23,8 @@ init_daemon_runtime_file(dkim_milter_data_t, dir, "opendkim") # Local policy # -allow dkim_milter_t self:capability { dac_read_search dac_override setgid setuid }; -allow dkim_milter_t self:process { signal signull getsched }; +allow dkim_milter_t self:capability { dac_override dac_read_search setgid setuid }; +allow dkim_milter_t self:process { getsched signal signull }; allow dkim_milter_t self:unix_stream_socket create_stream_socket_perms; read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t) diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te index 9372198311..03c055ca6f 100644 --- a/policy/modules/services/dovecot.te +++ b/policy/modules/services/dovecot.te @@ -102,7 +102,7 @@ miscfiles_read_localization(dovecot_domain) allow dovecot_t self:capability { chown dac_override dac_read_search fsetid kill setgid setuid sys_chroot sys_resource }; dontaudit dovecot_t self:capability sys_tty_config; -allow dovecot_t self:process { setrlimit signal_perms getcap setcap setsched }; +allow dovecot_t self:process { getcap setcap setrlimit setsched signal_perms }; allow dovecot_t self:tcp_socket { accept listen }; allow dovecot_t self:unix_stream_socket { accept connectto listen }; @@ -252,7 +252,7 @@ optional_policy(` # allow dovecot_auth_t self:capability { chown dac_override ipc_lock setgid setuid sys_nice }; -allow dovecot_auth_t self:process { getsched setsched signal_perms getcap setcap }; +allow dovecot_auth_t self:process { getcap getsched setcap setsched signal_perms }; allow dovecot_auth_t self:unix_stream_socket { accept connectto listen }; read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t) diff --git a/policy/modules/services/eg25manager.te b/policy/modules/services/eg25manager.te index f305a9a01d..e7d8f21cc2 100644 --- a/policy/modules/services/eg25manager.te +++ b/policy/modules/services/eg25manager.te @@ -30,7 +30,7 @@ files_tmp_file(eg25manager_tmp_t) # allow eg25manager_t self:netlink_route_socket { bind create getattr nlmsg_read read write }; -allow eg25manager_t self:process { signal getsched setsched }; +allow eg25manager_t self:process { getsched setsched signal }; allow eg25manager_t self:tcp_socket { connect create getattr getopt read setopt write }; allow eg25manager_t self:udp_socket { connect create getattr read setopt write }; allow eg25manager_t self:unix_dgram_socket { create write }; diff --git a/policy/modules/services/exim.te b/policy/modules/services/exim.te index 80d8284664..975c1ec1f3 100644 --- a/policy/modules/services/exim.te +++ b/policy/modules/services/exim.te @@ -73,7 +73,7 @@ ifdef(`distro_debian',` # allow exim_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_resource }; -allow exim_t self:process { setrlimit setpgid }; +allow exim_t self:process { setpgid setrlimit }; allow exim_t self:fifo_file rw_fifo_file_perms; allow exim_t self:unix_stream_socket { accept listen }; allow exim_t self:tcp_socket { accept listen }; diff --git a/policy/modules/services/fail2ban.te b/policy/modules/services/fail2ban.te index 954dd4dc64..a79f847150 100644 --- a/policy/modules/services/fail2ban.te +++ b/policy/modules/services/fail2ban.te @@ -136,7 +136,7 @@ optional_policy(` # allow fail2ban_client_t self:capability dac_read_search; -allow fail2ban_client_t self:unix_stream_socket { create connect write read }; +allow fail2ban_client_t self:unix_stream_socket { connect create read write }; domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t) diff --git a/policy/modules/services/fetchmail.te b/policy/modules/services/fetchmail.te index 164ddde705..c90faa34cd 100644 --- a/policy/modules/services/fetchmail.te +++ b/policy/modules/services/fetchmail.te @@ -34,7 +34,7 @@ files_type(fetchmail_uidl_cache_t) # dontaudit fetchmail_t self:capability sys_tty_config; -allow fetchmail_t self:process { signal_perms setrlimit }; +allow fetchmail_t self:process { setrlimit signal_perms }; allow fetchmail_t self:unix_stream_socket { accept listen }; allow fetchmail_t fetchmail_etc_t:file read_file_perms; diff --git a/policy/modules/services/fprintd.te b/policy/modules/services/fprintd.te index 310d5be3fc..11fe51ae81 100644 --- a/policy/modules/services/fprintd.te +++ b/policy/modules/services/fprintd.te @@ -18,7 +18,7 @@ files_type(fprintd_var_lib_t) # allow fprintd_t self:capability sys_nice; -allow fprintd_t self:process { getsched setsched signal sigkill }; +allow fprintd_t self:process { getsched setsched sigkill signal }; allow fprintd_t self:fifo_file rw_fifo_file_perms; manage_dirs_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t) diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te index 3a638a72c3..d5b2a92a6d 100644 --- a/policy/modules/services/ftp.te +++ b/policy/modules/services/ftp.te @@ -167,7 +167,7 @@ ifdef(`enable_mls',` allow ftpd_t self:capability { chown fowner fsetid ipc_lock kill setgid setuid sys_admin sys_chroot sys_nice sys_resource }; dontaudit ftpd_t self:capability sys_tty_config; -allow ftpd_t self:process { getcap getpgid setcap setsched setrlimit signal_perms }; +allow ftpd_t self:process { getcap getpgid setcap setrlimit setsched signal_perms }; allow ftpd_t self:fifo_file rw_fifo_file_perms; allow ftpd_t self:unix_dgram_socket sendto; allow ftpd_t self:unix_stream_socket { accept listen }; diff --git a/policy/modules/services/gdomap.te b/policy/modules/services/gdomap.te index 71a3e036bb..e58579388e 100644 --- a/policy/modules/services/gdomap.te +++ b/policy/modules/services/gdomap.te @@ -24,7 +24,7 @@ files_runtime_file(gdomap_runtime_t) # allow gdomap_t self:capability { net_bind_service setgid setuid sys_chroot }; -allow gdomap_t self:tcp_socket { listen accept }; +allow gdomap_t self:tcp_socket { accept listen }; allow gdomap_t gdomap_runtime_t:file manage_file_perms; # gdomap_runtime_t dir is for chroot diff --git a/policy/modules/services/glusterfs.te b/policy/modules/services/glusterfs.te index 3b7a85a3ba..1d24cdad22 100644 --- a/policy/modules/services/glusterfs.te +++ b/policy/modules/services/glusterfs.te @@ -63,7 +63,7 @@ allow glusterd_t self:capability { chown dac_override dac_read_search fowner fse allow glusterd_t self:process { getsched setrlimit signal signull }; allow glusterd_t self:fifo_file rw_fifo_file_perms; allow glusterd_t self:tcp_socket create_stream_socket_perms; -allow glusterd_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow glusterd_t self:unix_stream_socket { connectto create_stream_socket_perms }; manage_dirs_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t) manage_files_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t) diff --git a/policy/modules/services/gpm.te b/policy/modules/services/gpm.te index 047afaf899..109223b780 100644 --- a/policy/modules/services/gpm.te +++ b/policy/modules/services/gpm.te @@ -30,7 +30,7 @@ files_type(gpmctl_t) # allow gpm_t self:capability { dac_override setpcap setuid sys_admin sys_tty_config }; -allow gpm_t self:process { signal signull getcap setcap }; +allow gpm_t self:process { getcap setcap signal signull }; allow gpm_t self:unix_stream_socket { accept listen }; allow gpm_t gpm_conf_t:dir list_dir_perms; diff --git a/policy/modules/services/gssproxy.te b/policy/modules/services/gssproxy.te index 7f73637a35..198645f4c0 100644 --- a/policy/modules/services/gssproxy.te +++ b/policy/modules/services/gssproxy.te @@ -22,7 +22,7 @@ init_unit_file(gssproxy_unit_t) # # gssproxy local policy # -allow gssproxy_t self:capability { setuid setgid }; +allow gssproxy_t self:capability { setgid setuid }; allow gssproxy_t self:capability2 block_suspend; allow gssproxy_t self:fifo_file rw_fifo_file_perms; allow gssproxy_t self:unix_stream_socket create_stream_socket_perms; diff --git a/policy/modules/services/hadoop.te b/policy/modules/services/hadoop.te index 844f6865f8..68a0b429cf 100644 --- a/policy/modules/services/hadoop.te +++ b/policy/modules/services/hadoop.te @@ -89,7 +89,7 @@ userdom_user_tmp_file(zookeeper_tmp_t) # allow hadoop_t self:capability sys_resource; -allow hadoop_t self:process { getsched setsched signal signull setrlimit execmem }; +allow hadoop_t self:process { execmem getsched setrlimit setsched signal signull }; allow hadoop_t self:fifo_file rw_fifo_file_perms; allow hadoop_t self:key write; allow hadoop_t self:peer recv; @@ -401,7 +401,7 @@ hadoop_recvfrom_namenode(hadoop_tasktracker_t) # Zookeeper client local policy # -allow zookeeper_t self:process { getsched sigkill signal signull execmem }; +allow zookeeper_t self:process { execmem getsched sigkill signal signull }; allow zookeeper_t self:fifo_file rw_fifo_file_perms; allow zookeeper_t self:tcp_socket { accept listen }; @@ -414,7 +414,7 @@ allow zookeeper_t hadoop_hsperfdata_t:dir manage_dir_perms; files_tmp_filetrans(zookeeper_t, hadoop_hsperfdata_t, dir) allow zookeeper_t zookeeper_log_t:dir { rw_dir_perms setattr_dir_perms }; -allow zookeeper_t zookeeper_log_t:file { create_file_perms append_file_perms read_file_perms setattr_file_perms }; +allow zookeeper_t zookeeper_log_t:file { append_file_perms create_file_perms read_file_perms setattr_file_perms }; append_files_pattern(zookeeper_t, zookeeper_log_t, zookeeper_log_t) logging_log_filetrans(zookeeper_t, zookeeper_log_t, file) @@ -483,7 +483,7 @@ manage_files_pattern(zookeeper_server_t, zookeeper_server_var_t, zookeeper_serve files_var_lib_filetrans(zookeeper_server_t, zookeeper_server_var_t, { dir file }) allow zookeeper_server_t zookeeper_log_t:dir { rw_dir_perms setattr_dir_perms }; -allow zookeeper_server_t zookeeper_log_t:file { create_file_perms append_file_perms read_file_perms setattr_file_perms }; +allow zookeeper_server_t zookeeper_log_t:file { append_file_perms create_file_perms read_file_perms setattr_file_perms }; logging_log_filetrans(zookeeper_server_t, zookeeper_log_t, file) manage_files_pattern(zookeeper_server_t, zookeeper_server_tmp_t, zookeeper_server_tmp_t) diff --git a/policy/modules/services/hostapd.te b/policy/modules/services/hostapd.te index daf39a90aa..8bc2d5e508 100644 --- a/policy/modules/services/hostapd.te +++ b/policy/modules/services/hostapd.te @@ -20,7 +20,7 @@ files_runtime_file(hostapd_runtime_t) # hostapd local policy # -allow hostapd_t self:capability { fsetid chown net_admin net_raw dac_read_search dac_override }; +allow hostapd_t self:capability { chown dac_override dac_read_search fsetid net_admin net_raw }; allow hostapd_t self:fifo_file rw_fifo_file_perms; allow hostapd_t self:unix_stream_socket create_stream_socket_perms; allow hostapd_t self:netlink_socket create_socket_perms; diff --git a/policy/modules/services/hypervkvp.te b/policy/modules/services/hypervkvp.te index dccb0ec09b..73f7644315 100644 --- a/policy/modules/services/hypervkvp.te +++ b/policy/modules/services/hypervkvp.te @@ -155,7 +155,7 @@ optional_policy(` # hypervvssd local policy # -allow hypervvssd_t self:capability { dac_read_search dac_override sys_admin }; +allow hypervvssd_t self:capability { dac_override dac_read_search sys_admin }; dev_rw_hyperv_vss(hypervvssd_t) diff --git a/policy/modules/services/i18n_input.te b/policy/modules/services/i18n_input.te index a718bfe405..9334e72211 100644 --- a/policy/modules/services/i18n_input.te +++ b/policy/modules/services/i18n_input.te @@ -32,7 +32,7 @@ files_runtime_file(i18n_input_runtime_t) allow i18n_input_t self:capability { kill setgid setuid }; dontaudit i18n_input_t self:capability sys_tty_config; -allow i18n_input_t self:process { signal_perms setsched setpgid }; +allow i18n_input_t self:process { setpgid setsched signal_perms }; allow i18n_input_t self:fifo_file rw_fifo_file_perms; allow i18n_input_t self:unix_stream_socket { accept listen }; allow i18n_input_t self:tcp_socket { accept listen }; diff --git a/policy/modules/services/iiosensorproxy.te b/policy/modules/services/iiosensorproxy.te index baca17d726..a820877fad 100644 --- a/policy/modules/services/iiosensorproxy.te +++ b/policy/modules/services/iiosensorproxy.te @@ -37,7 +37,7 @@ init_daemon_domain(iiosensorproxy_t, iiosensorproxy_exec_t) # Local policy # -allow iiosensorproxy_t self:netlink_kobject_uevent_socket { bind create getattr setopt read }; +allow iiosensorproxy_t self:netlink_kobject_uevent_socket { bind create getattr read setopt }; allow iiosensorproxy_t self:process { getsched setsched }; allow iiosensorproxy_t self:unix_dgram_socket { create write }; diff --git a/policy/modules/services/inetd.te b/policy/modules/services/inetd.te index 33af29d9be..9fc5cf6513 100644 --- a/policy/modules/services/inetd.te +++ b/policy/modules/services/inetd.te @@ -35,7 +35,7 @@ files_tmp_file(inetd_child_tmp_t) allow inetd_t self:capability { kill setgid setuid sys_resource }; dontaudit inetd_t self:capability sys_tty_config; -allow inetd_t self:process { setsched setexec setrlimit }; +allow inetd_t self:process { setexec setrlimit setsched }; allow inetd_t self:fifo_file rw_fifo_file_perms; allow inetd_t self:tcp_socket { accept listen }; allow inetd_t self:fd use; diff --git a/policy/modules/services/kerberos.te b/policy/modules/services/kerberos.te index cc63bba601..17d8f994df 100644 --- a/policy/modules/services/kerberos.te +++ b/policy/modules/services/kerberos.te @@ -77,7 +77,7 @@ files_tmp_file(krb5kdc_tmp_t) allow kadmind_t self:capability { chown dac_override fowner setgid setuid sys_nice }; dontaudit kadmind_t self:capability sys_tty_config; allow kadmind_t self:capability2 block_suspend; -allow kadmind_t self:process { setfscreate setsched getsched signal_perms }; +allow kadmind_t self:process { getsched setfscreate setsched signal_perms }; allow kadmind_t self:netlink_route_socket r_netlink_socket_perms; allow kadmind_t self:tcp_socket { accept listen }; allow kadmind_t self:udp_socket create_socket_perms; @@ -89,7 +89,7 @@ allow kadmind_t krb5_conf_t:file read_file_perms; dontaudit kadmind_t krb5_conf_t:file write_file_perms; read_files_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_conf_t) -dontaudit kadmind_t krb5kdc_conf_t:file { write_file_perms setattr_file_perms }; +dontaudit kadmind_t krb5kdc_conf_t:file { setattr_file_perms write_file_perms }; allow kadmind_t krb5kdc_lock_t:file { rw_file_perms setattr_file_perms }; @@ -170,7 +170,7 @@ optional_policy(` allow krb5kdc_t self:capability { chown dac_override fowner net_admin setgid setuid sys_nice }; dontaudit krb5kdc_t self:capability sys_tty_config; allow krb5kdc_t self:capability2 block_suspend; -allow krb5kdc_t self:process { setfscreate setsched getsched signal_perms }; +allow krb5kdc_t self:process { getsched setfscreate setsched signal_perms }; allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms; allow krb5kdc_t self:tcp_socket { accept listen }; allow krb5kdc_t self:udp_socket create_socket_perms; diff --git a/policy/modules/services/kerneloops.te b/policy/modules/services/kerneloops.te index df1e4accd4..0430897d5a 100644 --- a/policy/modules/services/kerneloops.te +++ b/policy/modules/services/kerneloops.te @@ -21,7 +21,7 @@ files_tmp_file(kerneloops_tmp_t) # allow kerneloops_t self:capability sys_nice; -allow kerneloops_t self:process { getcap setcap setsched getsched signal }; +allow kerneloops_t self:process { getcap getsched setcap setsched signal }; allow kerneloops_t self:fifo_file rw_fifo_file_perms; manage_files_pattern(kerneloops_t, kerneloops_tmp_t, kerneloops_tmp_t) diff --git a/policy/modules/services/knot.te b/policy/modules/services/knot.te index 1239fa6409..d658d973c1 100644 --- a/policy/modules/services/knot.te +++ b/policy/modules/services/knot.te @@ -38,7 +38,7 @@ files_type(knot_var_lib_t) # allow knotd_t self:capability { dac_override dac_read_search setgid setpcap setuid }; -allow knotd_t self:process { signal_perms getcap getsched setsched }; +allow knotd_t self:process { getcap getsched setsched signal_perms }; allow knotd_t self:tcp_socket create_stream_socket_perms; allow knotd_t self:udp_socket create_socket_perms; allow knotd_t self:unix_stream_socket create_stream_socket_perms; diff --git a/policy/modules/services/likewise.if b/policy/modules/services/likewise.if index c45c26dfb1..fb4341ef3d 100644 --- a/policy/modules/services/likewise.if +++ b/policy/modules/services/likewise.if @@ -41,7 +41,7 @@ template(`likewise_domain_template',` # Policy # - allow $1_t self:process { signal_perms getsched setsched }; + allow $1_t self:process { getsched setsched signal_perms }; allow $1_t self:fifo_file rw_fifo_file_perms; allow $1_t self:unix_stream_socket { accept listen }; allow $1_t self:tcp_socket create_stream_socket_perms; diff --git a/policy/modules/services/likewise.te b/policy/modules/services/likewise.te index 4b3ca685a4..a784a47c07 100644 --- a/policy/modules/services/likewise.te +++ b/policy/modules/services/likewise.te @@ -98,7 +98,7 @@ corenet_tcp_connect_epmap_port(eventlogd_t) # allow lsassd_t self:capability { chown dac_override fowner fsetid sys_time }; -allow lsassd_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow lsassd_t self:unix_stream_socket { connectto create_stream_socket_perms }; allow lsassd_t self:netlink_route_socket create_netlink_socket_perms; allow lsassd_t likewise_krb5_ad_t:file read_file_perms; diff --git a/policy/modules/services/lpd.te b/policy/modules/services/lpd.te index 160a2611a6..0fb2aff369 100644 --- a/policy/modules/services/lpd.te +++ b/policy/modules/services/lpd.te @@ -203,7 +203,7 @@ optional_policy(` allow lpr_t self:capability { chown dac_override net_bind_service setuid }; allow lpr_t self:unix_stream_socket { accept listen }; -allow lpd_t print_spool_t:file { read_file_perms rename_file_perms delete_file_perms }; +allow lpd_t print_spool_t:file { delete_file_perms read_file_perms rename_file_perms }; can_exec(lpr_t, lpr_exec_t) diff --git a/policy/modules/services/mailman.te b/policy/modules/services/mailman.te index fe52b6fd81..d9c921c27b 100644 --- a/policy/modules/services/mailman.te +++ b/policy/modules/services/mailman.te @@ -100,7 +100,7 @@ miscfiles_read_localization(mailman_domain) # CGI local policy # -allow mailman_cgi_t self:process { signal signull sigkill }; +allow mailman_cgi_t self:process { sigkill signal signull }; allow mailman_cgi_t self:fifo_file rw_fifo_file_perms; allow mailman_cgi_t self:capability { dac_override setgid setuid }; allow mailman_cgi_t self:unix_dgram_socket create_socket_perms; @@ -179,8 +179,8 @@ optional_policy(` # allow mailman_mail_t self:capability { dac_override kill setgid setuid sys_tty_config }; -allow mailman_mail_t self:process { execmem signal signull setsched }; -allow mailman_mail_t self:netlink_audit_socket { nlmsg_relay create_socket_perms }; +allow mailman_mail_t self:process { execmem setsched signal signull }; +allow mailman_mail_t self:netlink_audit_socket { create_socket_perms nlmsg_relay }; allow mailman_mail_t self:fifo_file rw_fifo_file_perms; allow mailman_mail_t mailman_archive_t:dir manage_dir_perms; diff --git a/policy/modules/services/matrixd.te b/policy/modules/services/matrixd.te index 5f092f31cb..216f0d5362 100644 --- a/policy/modules/services/matrixd.te +++ b/policy/modules/services/matrixd.te @@ -59,7 +59,7 @@ allow matrixd_t self:udp_socket create_socket_perms; allow matrixd_t self:unix_dgram_socket create_socket_perms; # execmem is needed for Python callbacks # https://cffi.readthedocs.io/en/latest/using.html#callbacks -allow matrixd_t self:process { getsched execmem }; +allow matrixd_t self:process { execmem getsched }; allow matrixd_t matrixd_tmp_t:file mmap_manage_file_perms; files_tmp_filetrans(matrixd_t, matrixd_tmp_t, file) diff --git a/policy/modules/services/memlockd.te b/policy/modules/services/memlockd.te index 14610d28d4..f554368862 100644 --- a/policy/modules/services/memlockd.te +++ b/policy/modules/services/memlockd.te @@ -14,7 +14,7 @@ init_daemon_domain(memlockd_t, memlockd_exec_t) # Local policy # -allow memlockd_t self:capability { setgid setuid ipc_lock }; +allow memlockd_t self:capability { ipc_lock setgid setuid }; allow memlockd_t self:fifo_file rw_inherited_fifo_file_perms; # cache /etc/shadow too diff --git a/policy/modules/services/modemmanager.te b/policy/modules/services/modemmanager.te index b94117bfff..f21b33c82e 100644 --- a/policy/modules/services/modemmanager.te +++ b/policy/modules/services/modemmanager.te @@ -15,7 +15,7 @@ init_daemon_domain(modemmanager_t, modemmanager_exec_t) # allow modemmanager_t self:capability { net_admin sys_admin sys_tty_config }; -allow modemmanager_t self:process { getsched setsched signal setpgid }; +allow modemmanager_t self:process { getsched setpgid setsched signal }; allow modemmanager_t self:fifo_file rw_fifo_file_perms; allow modemmanager_t self:unix_stream_socket { connectto create_stream_socket_perms }; allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms; diff --git a/policy/modules/services/mon.te b/policy/modules/services/mon.te index bbf0496b3c..72c090dca1 100644 --- a/policy/modules/services/mon.te +++ b/policy/modules/services/mon.te @@ -42,7 +42,7 @@ files_tmp_file(mon_tmp_t) allow mon_t self:fifo_file rw_fifo_file_perms; allow mon_t self:tcp_socket create_stream_socket_perms; -allow mon_t self:process { setrlimit getsched signal }; +allow mon_t self:process { getsched setrlimit signal }; domtrans_pattern(mon_t, mon_local_test_exec_t, mon_local_test_t) @@ -169,9 +169,9 @@ optional_policy(` # # sys_ptrace is for reading /proc/1/maps etc -allow mon_local_test_t self:capability { dac_override dac_read_search setgid setuid sys_ptrace sys_admin }; +allow mon_local_test_t self:capability { dac_override dac_read_search setgid setuid sys_admin sys_ptrace }; allow mon_local_test_t self:fifo_file rw_fifo_file_perms; -allow mon_local_test_t self:process { getsched sigkill sigstop signal }; +allow mon_local_test_t self:process { getsched sigkill signal sigstop }; allow mon_local_test_t self:cap_userns sys_ptrace; can_exec(mon_local_test_t, mon_local_test_exec_t) diff --git a/policy/modules/services/monit.te b/policy/modules/services/monit.te index c58763ed81..72921263a3 100644 --- a/policy/modules/services/monit.te +++ b/policy/modules/services/monit.te @@ -95,7 +95,7 @@ allow monit_t self:fifo_file rw_fifo_file_perms; allow monit_t self:rawip_socket connected_socket_perms; allow monit_t self:tcp_socket server_stream_socket_perms; -allow monit_t monit_log_t:file { create read_file_perms append_file_perms }; +allow monit_t monit_log_t:file { append_file_perms create read_file_perms }; logging_log_filetrans(monit_t, monit_log_t, file) allow monit_t monit_runtime_t:file manage_file_perms; diff --git a/policy/modules/services/mpd.te b/policy/modules/services/mpd.te index 98ffeaa033..f3571afd04 100644 --- a/policy/modules/services/mpd.te +++ b/policy/modules/services/mpd.te @@ -68,7 +68,7 @@ userdom_user_home_content(mpd_user_data_t) # customizable # allow mpd_t self:capability { dac_override kill setgid setuid }; -allow mpd_t self:process { getsched setsched setrlimit signal signull setcap }; +allow mpd_t self:process { getsched setcap setrlimit setsched signal signull }; allow mpd_t self:fifo_file rw_fifo_file_perms; allow mpd_t self:unix_stream_socket { accept connectto listen }; allow mpd_t self:unix_dgram_socket sendto; diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te index 39c0ea3d05..a4e3896a50 100644 --- a/policy/modules/services/mta.te +++ b/policy/modules/services/mta.te @@ -57,7 +57,7 @@ userdom_user_tmp_file(user_mail_tmp_t) # allow user_mail_domain self:capability { chown setgid setuid }; -allow user_mail_domain self:process { signal_perms setrlimit }; +allow user_mail_domain self:process { setrlimit signal_perms }; allow user_mail_domain self:fifo_file rw_fifo_file_perms; allow user_mail_domain mta_exec_type:file entrypoint; diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te index 4d1124bbf3..67dc119b34 100644 --- a/policy/modules/services/mysql.te +++ b/policy/modules/services/mysql.te @@ -67,10 +67,10 @@ files_runtime_file(mysqlmanagerd_runtime_t) allow mysqld_t self:capability { dac_override dac_read_search ipc_lock setgid setuid sys_resource }; dontaudit mysqld_t self:capability sys_tty_config; -allow mysqld_t self:process { getcap setsched getsched setrlimit signal_perms rlimitinh }; +allow mysqld_t self:process { getcap getsched rlimitinh setrlimit setsched signal_perms }; allow mysqld_t self:fifo_file rw_fifo_file_perms; allow mysqld_t self:shm create_shm_perms; -allow mysqld_t self:unix_stream_socket { connectto accept listen }; +allow mysqld_t self:unix_stream_socket { accept connectto listen }; allow mysqld_t self:tcp_socket { accept listen }; allow mysqld_t self:anon_inode { create map read write }; @@ -160,10 +160,10 @@ optional_policy(` # allow mysqld_safe_t self:capability { chown dac_override fowner kill }; -allow mysqld_safe_t self:process { setsched getsched setrlimit }; +allow mysqld_safe_t self:process { getsched setrlimit setsched }; allow mysqld_safe_t self:fifo_file rw_fifo_file_perms; -allow mysqld_safe_t mysqld_t:process { signull sigkill }; +allow mysqld_safe_t mysqld_t:process { sigkill signull }; read_lnk_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t) manage_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t) diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te index 1ecf7d63f9..385593ab20 100644 --- a/policy/modules/services/nagios.te +++ b/policy/modules/services/nagios.te @@ -210,14 +210,14 @@ optional_policy(` allow nrpe_t self:capability { dac_override setgid setuid }; dontaudit nrpe_t self:capability { sys_resource sys_tty_config }; -allow nrpe_t self:process { setpgid signal_perms setsched setrlimit }; +allow nrpe_t self:process { setpgid setrlimit setsched signal_perms }; allow nrpe_t self:fifo_file rw_fifo_file_perms; allow nrpe_t self:tcp_socket { accept listen }; allow nrpe_t nagios_etc_t:dir list_dir_perms; allow nrpe_t nagios_etc_t:file read_file_perms; -allow nrpe_t nagios_plugin_domain:process { signal sigkill }; +allow nrpe_t nagios_plugin_domain:process { sigkill signal }; read_files_pattern(nrpe_t, nagios_etc_t, nrpe_etc_t) @@ -347,7 +347,7 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t) # allow nagios_services_plugin_t self:capability net_raw; -allow nagios_services_plugin_t self:process { signal sigkill }; +allow nagios_services_plugin_t self:process { sigkill signal }; allow nagios_services_plugin_t self:tcp_socket { accept listen }; corecmd_exec_bin(nagios_services_plugin_t) diff --git a/policy/modules/services/networkmanager.if b/policy/modules/services/networkmanager.if index 59ce01ce58..d94aa10f03 100644 --- a/policy/modules/services/networkmanager.if +++ b/policy/modules/services/networkmanager.if @@ -323,10 +323,10 @@ interface(`networkmanager_stream_connect',` interface(`networkmanager_enabledisable',` gen_require(` type NetworkManager_unit_t; - class service { enable disable }; + class service { disable enable }; ') - allow $1 NetworkManager_unit_t:service { enable disable }; + allow $1 NetworkManager_unit_t:service { disable enable }; ') ######################################## diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te index e81becb1dd..8535832e79 100644 --- a/policy/modules/services/networkmanager.te +++ b/policy/modules/services/networkmanager.te @@ -45,7 +45,7 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t) allow NetworkManager_t self:capability { chown dac_override dac_read_search fowner fsetid ipc_lock kill net_admin net_raw setgid setuid sys_nice }; dontaudit NetworkManager_t self:capability { sys_module sys_ptrace sys_tty_config }; allow NetworkManager_t self:capability2 wake_alarm; -allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms }; +allow NetworkManager_t self:process { getcap getsched ptrace setcap setpgid setsched signal_perms }; allow NetworkManager_t self:fifo_file rw_fifo_file_perms; allow NetworkManager_t self:unix_dgram_socket sendto; allow NetworkManager_t self:unix_stream_socket { accept listen }; @@ -59,7 +59,7 @@ allow NetworkManager_t self:packet_socket create_socket_perms; allow NetworkManager_t self:socket create_socket_perms; allow NetworkManager_t self:alg_socket { accept bind create read setopt write }; # ICMPv6 router solicitation/advertisement -allow NetworkManager_t self:rawip_socket { create setopt getattr write read }; +allow NetworkManager_t self:rawip_socket { create getattr read setopt write }; allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto; diff --git a/policy/modules/services/nscd.if b/policy/modules/services/nscd.if index 3f87cc461a..ab7f5ad929 100644 --- a/policy/modules/services/nscd.if +++ b/policy/modules/services/nscd.if @@ -106,15 +106,15 @@ interface(`nscd_exec',` interface(`nscd_socket_use',` gen_require(` type nscd_t, nscd_runtime_t; - class nscd { getserv getpwd getgrp gethost shmempwd shmemgrp shmemhost shmemserv }; + class nscd { getgrp gethost getpwd getserv shmemgrp shmemhost shmempwd shmemserv }; ') allow $1 self:unix_stream_socket create_socket_perms; - allow $1 nscd_t:nscd { getpwd getgrp gethost }; + allow $1 nscd_t:nscd { getgrp gethost getpwd }; dontaudit $1 nscd_t:fd use; - dontaudit $1 nscd_t:nscd { getserv shmempwd shmemgrp shmemhost shmemserv }; + dontaudit $1 nscd_t:nscd { getserv shmemgrp shmemhost shmempwd shmemserv }; files_search_runtime($1) stream_connect_pattern($1, nscd_runtime_t, nscd_runtime_t, nscd_t) @@ -138,12 +138,12 @@ interface(`nscd_socket_use',` interface(`nscd_shm_use',` gen_require(` type nscd_t, nscd_runtime_t; - class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost }; + class nscd { getgrp gethost getpwd shmemgrp shmemhost shmempwd }; ') allow $1 self:unix_stream_socket create_stream_socket_perms; - allow $1 nscd_t:nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost }; + allow $1 nscd_t:nscd { getgrp gethost getpwd shmemgrp shmemhost shmempwd }; allow $1 nscd_t:fd use; files_search_runtime($1) @@ -226,7 +226,7 @@ interface(`nscd_unconfined',` class nscd all_nscd_perms; ') - allow $1 nscd_t:nscd { getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost getserv shmemserv }; + allow $1 nscd_t:nscd { admin getgrp gethost getpwd getserv getstat shmemgrp shmemhost shmempwd shmemserv }; ') ######################################## diff --git a/policy/modules/services/nsd.te b/policy/modules/services/nsd.te index ee161f791f..6899daa6fe 100644 --- a/policy/modules/services/nsd.te +++ b/policy/modules/services/nsd.te @@ -34,7 +34,7 @@ files_type(nsd_zone_t) # Local policy # -allow nsd_t self:capability { chown dac_override kill setgid setuid dac_read_search net_admin }; +allow nsd_t self:capability { chown dac_override dac_read_search kill net_admin setgid setuid }; dontaudit nsd_t self:capability sys_tty_config; allow nsd_t self:process signal_perms; allow nsd_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/services/ntp.if b/policy/modules/services/ntp.if index 43821d42ea..0d34322935 100644 --- a/policy/modules/services/ntp.if +++ b/policy/modules/services/ntp.if @@ -231,10 +231,10 @@ interface(`ntp_enabledisable',` ifdef(`init_systemd',` gen_require(` type ntpd_unit_t; - class service { enable disable }; + class service { disable enable }; ') - allow $1 ntpd_unit_t:service { enable disable }; + allow $1 ntpd_unit_t:service { disable enable }; ') ') diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te index 8a85342940..15b8699c68 100644 --- a/policy/modules/services/ntp.te +++ b/policy/modules/services/ntp.te @@ -53,9 +53,9 @@ init_system_domain(ntpd_t, ntpdate_exec_t) # Local policy # -allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock ipc_owner sys_chroot sys_nice sys_resource }; -dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid }; -allow ntpd_t self:process { signal_perms getcap setcap setsched setrlimit }; +allow ntpd_t self:capability { chown dac_override ipc_lock ipc_owner kill setgid setuid sys_chroot sys_nice sys_resource sys_time }; +dontaudit ntpd_t self:capability { fsetid net_admin sys_tty_config }; +allow ntpd_t self:process { getcap setcap setrlimit setsched signal_perms }; allow ntpd_t self:fifo_file rw_fifo_file_perms; allow ntpd_t self:shm create_shm_perms; allow ntpd_t self:socket create; diff --git a/policy/modules/services/numad.te b/policy/modules/services/numad.te index cbdae4db9e..b1e8377733 100644 --- a/policy/modules/services/numad.te +++ b/policy/modules/services/numad.te @@ -25,7 +25,7 @@ files_runtime_file(numad_runtime_t) # allow numad_t self:fifo_file rw_fifo_file_perms; -allow numad_t self:msg { send receive }; +allow numad_t self:msg { receive send }; allow numad_t self:msgq create_msgq_perms; allow numad_t self:unix_stream_socket create_stream_socket_perms; diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te index c92925ca10..b204d6d64b 100644 --- a/policy/modules/services/openvpn.te +++ b/policy/modules/services/openvpn.te @@ -55,7 +55,7 @@ logging_log_file(openvpn_var_log_t) # allow openvpn_t self:capability { dac_override dac_read_search ipc_lock net_admin setgid setuid sys_chroot sys_nice sys_tty_config }; -allow openvpn_t self:process { signal getsched setsched }; +allow openvpn_t self:process { getsched setsched signal }; allow openvpn_t self:fifo_file rw_fifo_file_perms; allow openvpn_t self:unix_dgram_socket sendto; allow openvpn_t self:unix_stream_socket { accept connectto listen }; diff --git a/policy/modules/services/pacemaker.te b/policy/modules/services/pacemaker.te index 508c769a48..3fe7dc27b4 100644 --- a/policy/modules/services/pacemaker.te +++ b/policy/modules/services/pacemaker.te @@ -50,10 +50,10 @@ logging_log_file(pcs_snmp_agent_log_t) # allow pacemaker_t self:capability { chown dac_override fowner fsetid kill net_raw setgid setuid }; -allow pacemaker_t self:process { getsched getcap setcap setpgid setrlimit setsched signal signull }; +allow pacemaker_t self:process { getcap getsched setcap setpgid setrlimit setsched signal signull }; allow pacemaker_t self:fifo_file rw_fifo_file_perms; allow pacemaker_t self:packet_socket { bind create getattr read write }; -allow pacemaker_t self:unix_stream_socket { connectto accept listen }; +allow pacemaker_t self:unix_stream_socket { accept connectto listen }; create_files_pattern(pacemaker_t, pacemaker_log_t, pacemaker_log_t) append_files_pattern(pacemaker_t, pacemaker_log_t, pacemaker_log_t) @@ -151,7 +151,7 @@ optional_policy(` allow pcs_snmp_agent_t self:capability { dac_override sys_resource }; allow pcs_snmp_agent_t self:fifo_file { rw_inherited_fifo_file_perms }; -allow pcs_snmp_agent_t self:process { execmem setsched getsched setrlimit }; +allow pcs_snmp_agent_t self:process { execmem getsched setrlimit setsched }; allow pcs_snmp_agent_t self:unix_stream_socket { create_socket_perms }; create_files_pattern(pcs_snmp_agent_t, pcs_snmp_agent_log_t, pcs_snmp_agent_log_t) diff --git a/policy/modules/services/pegasus.te b/policy/modules/services/pegasus.te index e7287b49a8..08a2206c7b 100644 --- a/policy/modules/services/pegasus.te +++ b/policy/modules/services/pegasus.te @@ -39,11 +39,11 @@ allow pegasus_t self:capability { chown dac_override ipc_lock kill net_admin net dontaudit pegasus_t self:capability sys_tty_config; allow pegasus_t self:process signal; allow pegasus_t self:fifo_file rw_fifo_file_perms; -allow pegasus_t self:unix_stream_socket { connectto accept listen }; +allow pegasus_t self:unix_stream_socket { accept connectto listen }; allow pegasus_t self:tcp_socket { accept listen }; allow pegasus_t pegasus_conf_t:dir rw_dir_perms; -allow pegasus_t pegasus_conf_t:file { read_file_perms delete_file_perms rename_file_perms }; +allow pegasus_t pegasus_conf_t:file { delete_file_perms read_file_perms rename_file_perms }; allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms; manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t) diff --git a/policy/modules/services/plymouthd.te b/policy/modules/services/plymouthd.te index 7b41c85383..a25315cfca 100644 --- a/policy/modules/services/plymouthd.te +++ b/policy/modules/services/plymouthd.te @@ -36,7 +36,7 @@ logging_log_file(plymouthd_var_log_t) allow plymouthd_t self:capability { sys_admin sys_tty_config }; dontaudit plymouthd_t self:capability dac_override; allow plymouthd_t self:capability2 block_suspend; -allow plymouthd_t self:process { signal getsched }; +allow plymouthd_t self:process { getsched signal }; allow plymouthd_t self:fifo_file rw_fifo_file_perms; allow plymouthd_t self:unix_stream_socket create_stream_socket_perms; diff --git a/policy/modules/services/portslave.te b/policy/modules/services/portslave.te index ef11c088c6..075b890959 100644 --- a/policy/modules/services/portslave.te +++ b/policy/modules/services/portslave.te @@ -23,7 +23,7 @@ files_lock_file(portslave_lock_t) allow portslave_t self:capability { fsetid net_admin net_bind_service setgid setuid sys_tty_config }; dontaudit portslave_t self:capability sys_admin; -allow portslave_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; +allow portslave_t self:process { dyntransition getattr getcap getpgid getrlimit getsched getsession noatsecure rlimitinh setcap setkeycreate setpgid setsched setsockcreate share siginh signal_perms transition }; allow portslave_t self:fd use; allow portslave_t self:fifo_file rw_fifo_file_perms; allow portslave_t self:unix_dgram_socket sendto; @@ -31,7 +31,7 @@ allow portslave_t self:unix_stream_socket { accept connectto listen }; allow portslave_t self:shm create_shm_perms; allow portslave_t self:sem create_sem_perms; allow portslave_t self:msgq create_msgq_perms; -allow portslave_t self:msg { send receive }; +allow portslave_t self:msg { receive send }; allow portslave_t self:tcp_socket { accept listen }; allow portslave_t portslave_etc_t:dir list_dir_perms; diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te index f85c82754a..da6e09565e 100644 --- a/policy/modules/services/postfix.te +++ b/policy/modules/services/postfix.te @@ -110,17 +110,17 @@ mta_mailserver_delivery(postfix_virtual_t) allow postfix_domain self:capability { sys_chroot sys_nice }; # net_admin for changing buffer sizes dontaudit postfix_domain self:capability { net_admin sys_tty_config }; -allow postfix_domain self:process { signal_perms setpgid setsched }; +allow postfix_domain self:process { setpgid setsched signal_perms }; allow postfix_domain self:fifo_file rw_fifo_file_perms; allow postfix_domain self:unix_stream_socket { accept connectto listen }; allow postfix_domain postfix_etc_t:dir list_dir_perms; -allow postfix_domain postfix_etc_t:file { read_file_perms map }; +allow postfix_domain postfix_etc_t:file { map read_file_perms }; allow postfix_domain postfix_etc_t:lnk_file read_lnk_file_perms; allow postfix_domain postfix_master_t:file read_file_perms; -allow postfix_domain postfix_exec_t:file { mmap_exec_file_perms lock }; +allow postfix_domain postfix_exec_t:file { lock mmap_exec_file_perms }; allow postfix_domain postfix_master_t:process sigchld; @@ -168,7 +168,7 @@ userdom_dontaudit_use_unpriv_user_fds(postfix_domain) # Common postfix server domain local policy # -allow postfix_server_domain self:capability { dac_read_search dac_override setgid setuid }; +allow postfix_server_domain self:capability { dac_override dac_read_search setgid setuid }; allow postfix_master_t self:process getsched; allow postfix_server_domain postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms }; @@ -185,7 +185,7 @@ corenet_tcp_connect_all_ports(postfix_server_domain) # Common postfix user domain local policy # -allow postfix_user_domains self:capability { dac_read_search dac_override }; +allow postfix_user_domains self:capability { dac_override dac_read_search }; domain_use_interactive_fds(postfix_user_domains) @@ -194,7 +194,7 @@ domain_use_interactive_fds(postfix_user_domains) # Master local policy # -allow postfix_master_t self:capability { chown dac_read_search dac_override fowner fsetid kill setgid setuid sys_tty_config }; +allow postfix_master_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid sys_tty_config }; allow postfix_master_t self:capability2 block_suspend; allow postfix_master_t self:process setrlimit; allow postfix_master_t self:tcp_socket create_stream_socket_perms; @@ -211,7 +211,7 @@ allow postfix_master_t postfix_data_t:file mmap_manage_file_perms; allow postfix_master_t postfix_keytab_t:file read_file_perms; -allow postfix_master_t postfix_map_exec_t:file { mmap_exec_file_perms ioctl lock }; +allow postfix_master_t postfix_map_exec_t:file { ioctl lock mmap_exec_file_perms }; allow postfix_master_t { postfix_postdrop_exec_t postfix_postqueue_exec_t }:file getattr_file_perms; @@ -504,7 +504,7 @@ optional_policy(` # Map local policy # -allow postfix_map_t self:capability { dac_read_search dac_override setgid setuid }; +allow postfix_map_t self:capability { dac_override dac_read_search setgid setuid }; allow postfix_map_t self:tcp_socket { accept listen }; allow postfix_map_t postfix_etc_t:dir manage_dir_perms; diff --git a/policy/modules/services/postfixpolicyd.te b/policy/modules/services/postfixpolicyd.te index d04487038d..dea98a7fce 100644 --- a/policy/modules/services/postfixpolicyd.te +++ b/policy/modules/services/postfixpolicyd.te @@ -26,7 +26,7 @@ files_type(postfix_policyd_tmp_t) # Local policy # -allow postfix_policyd_t self:capability { chown sys_chroot sys_resource setgid setuid }; +allow postfix_policyd_t self:capability { chown setgid setuid sys_chroot sys_resource }; allow postfix_policyd_t self:process { setrlimit signal signull }; allow postfix_policyd_t self:tcp_socket { accept listen }; diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if index 26edc00545..8ad2f407de 100644 --- a/policy/modules/services/postgresql.if +++ b/policy/modules/services/postgresql.if @@ -67,34 +67,34 @@ template(`postgresql_role',` allow $2 user_sepgsql_schema_t:db_schema { create drop setattr }; allow $2 user_sepgsql_table_t:db_table { create drop setattr }; allow $2 user_sepgsql_table_t:db_column { create drop setattr }; - allow $2 user_sepgsql_sysobj_t:db_tuple { update insert delete }; - allow $2 user_sepgsql_seq_t:db_sequence { create drop setattr set_value }; + allow $2 user_sepgsql_sysobj_t:db_tuple { delete insert update }; + allow $2 user_sepgsql_seq_t:db_sequence { create drop set_value setattr }; allow $2 user_sepgsql_view_t:db_view { create drop setattr }; allow $2 user_sepgsql_proc_exec_t:db_procedure { create drop setattr }; ') - allow $2 user_sepgsql_schema_t:db_schema { getattr search add_name remove_name }; + allow $2 user_sepgsql_schema_t:db_schema { add_name getattr remove_name search }; type_transition $2 sepgsql_database_type:db_schema user_sepgsql_schema_t; type_transition $2 sepgsql_database_type:db_schema sepgsql_temp_object_t "pg_temp"; - allow $2 user_sepgsql_table_t:db_table { getattr select update insert delete lock }; - allow $2 user_sepgsql_table_t:db_column { getattr select update insert }; - allow $2 user_sepgsql_table_t:db_tuple { select update insert delete }; + allow $2 user_sepgsql_table_t:db_table { delete getattr insert lock select update }; + allow $2 user_sepgsql_table_t:db_column { getattr insert select update }; + allow $2 user_sepgsql_table_t:db_tuple { delete insert select update }; type_transition $2 sepgsql_schema_type:db_table user_sepgsql_table_t; - allow $2 user_sepgsql_sysobj_t:db_tuple { use select }; + allow $2 user_sepgsql_sysobj_t:db_tuple { select use }; type_transition $2 sepgsql_sysobj_table_type:db_tuple user_sepgsql_sysobj_t; - allow $2 user_sepgsql_seq_t:db_sequence { getattr get_value next_value }; + allow $2 user_sepgsql_seq_t:db_sequence { get_value getattr next_value }; type_transition $2 sepgsql_schema_type:db_sequence user_sepgsql_seq_t; - allow $2 user_sepgsql_view_t:db_view { getattr expand }; + allow $2 user_sepgsql_view_t:db_view { expand getattr }; type_transition $2 sepgsql_schema_type:db_view user_sepgsql_view_t; - allow $2 user_sepgsql_proc_exec_t:db_procedure { getattr execute }; + allow $2 user_sepgsql_proc_exec_t:db_procedure { execute getattr }; type_transition $2 sepgsql_schema_type:db_procedure user_sepgsql_proc_exec_t; - allow $2 user_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export }; + allow $2 user_sepgsql_blob_t:db_blob { create drop export getattr import read setattr write }; type_transition $2 sepgsql_database_type:db_blob user_sepgsql_blob_t; allow $2 sepgsql_ranged_proc_t:process transition; @@ -501,28 +501,28 @@ interface(`postgresql_unpriv_client',` type_transition $1 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t; allow $1 sepgsql_trusted_proc_t:process transition; - allow $1 unpriv_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export }; + allow $1 unpriv_sepgsql_blob_t:db_blob { create drop export getattr import read setattr write }; type_transition $1 sepgsql_database_type:db_blob unpriv_sepgsql_blob_t; - allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { getattr execute }; + allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { execute getattr }; type_transition $1 sepgsql_schema_type:db_procedure unpriv_sepgsql_proc_exec_t; - allow $1 unpriv_sepgsql_schema_t:db_schema { getattr add_name remove_name }; + allow $1 unpriv_sepgsql_schema_t:db_schema { add_name getattr remove_name }; type_transition $1 sepgsql_database_type:db_schema unpriv_sepgsql_schema_t; type_transition $1 sepgsql_database_type:db_schema sepgsql_temp_object_t "pg_temp"; - allow $1 unpriv_sepgsql_table_t:db_table { getattr select update insert delete lock }; - allow $1 unpriv_sepgsql_table_t:db_column { getattr select update insert }; - allow $1 unpriv_sepgsql_table_t:db_tuple { select update insert delete }; + allow $1 unpriv_sepgsql_table_t:db_table { delete getattr insert lock select update }; + allow $1 unpriv_sepgsql_table_t:db_column { getattr insert select update }; + allow $1 unpriv_sepgsql_table_t:db_tuple { delete insert select update }; type_transition $1 sepgsql_schema_type:db_table unpriv_sepgsql_table_t; - allow $1 unpriv_sepgsql_seq_t:db_sequence { getattr get_value next_value set_value }; + allow $1 unpriv_sepgsql_seq_t:db_sequence { get_value getattr next_value set_value }; type_transition $1 sepgsql_schema_type:db_sequence unpriv_sepgsql_seq_t; - allow $1 unpriv_sepgsql_sysobj_t:db_tuple { use select }; + allow $1 unpriv_sepgsql_sysobj_t:db_tuple { select use }; type_transition $1 sepgsql_sysobj_table_type:db_tuple unpriv_sepgsql_sysobj_t; - allow $1 unpriv_sepgsql_view_t:db_view { getattr expand }; + allow $1 unpriv_sepgsql_view_t:db_view { expand getattr }; type_transition $1 sepgsql_schema_type:db_view unpriv_sepgsql_view_t; @@ -530,7 +530,7 @@ interface(`postgresql_unpriv_client',` allow $1 unpriv_sepgsql_schema_t:db_schema { create drop setattr }; allow $1 unpriv_sepgsql_table_t:db_table { create drop setattr }; allow $1 unpriv_sepgsql_table_t:db_column { create drop setattr }; - allow $1 unpriv_sepgsql_sysobj_t:db_tuple { update insert delete }; + allow $1 unpriv_sepgsql_sysobj_t:db_tuple { delete insert update }; allow $1 unpriv_sepgsql_seq_t:db_sequence { create drop setattr }; allow $1 unpriv_sepgsql_view_t:db_view { create drop setattr }; allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { create drop setattr }; diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te index 7eec1b6651..be3e10126c 100644 --- a/policy/modules/services/postgresql.te +++ b/policy/modules/services/postgresql.te @@ -232,37 +232,37 @@ allow postgresql_t self:shm create_shm_perms; allow postgresql_t self:tcp_socket create_stream_socket_perms; allow postgresql_t self:udp_socket create_stream_socket_perms; allow postgresql_t self:unix_dgram_socket create_socket_perms; -allow postgresql_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow postgresql_t self:unix_stream_socket { connectto create_stream_socket_perms }; allow postgresql_t self:netlink_selinux_socket create_socket_perms; tunable_policy(`sepgsql_transmit_client_label',` allow postgresql_t self:process { setsockcreate }; ') -allow postgresql_t sepgsql_database_type:db_database { create drop getattr setattr relabelfrom relabelto access install_module load_module get_param set_param }; +allow postgresql_t sepgsql_database_type:db_database { access create drop get_param getattr install_module load_module relabelfrom relabelto set_param setattr }; allow postgresql_t sepgsql_module_type:db_database install_module; # Database/Loadable module allow sepgsql_database_type sepgsql_module_type:db_database load_module; -allow postgresql_t {sepgsql_schema_type sepgsql_temp_object_t}:db_schema { create drop getattr setattr relabelfrom relabelto search add_name remove_name } ; +allow postgresql_t {sepgsql_schema_type sepgsql_temp_object_t}:db_schema { add_name create drop getattr relabelfrom relabelto remove_name search setattr } ; type_transition postgresql_t sepgsql_database_type:db_schema sepgsql_schema_t; type_transition postgresql_t sepgsql_database_type:db_schema sepgsql_temp_object_t "pg_temp"; -allow postgresql_t sepgsql_table_type:db_table { create drop getattr setattr relabelfrom relabelto select update insert delete lock }; -allow postgresql_t sepgsql_table_type:db_column { create drop getattr setattr relabelfrom relabelto select update insert }; -allow postgresql_t sepgsql_table_type:db_tuple { relabelfrom relabelto use select update insert delete }; +allow postgresql_t sepgsql_table_type:db_table { create delete drop getattr insert lock relabelfrom relabelto select setattr update }; +allow postgresql_t sepgsql_table_type:db_column { create drop getattr insert relabelfrom relabelto select setattr update }; +allow postgresql_t sepgsql_table_type:db_tuple { delete insert relabelfrom relabelto select update use }; type_transition postgresql_t sepgsql_schema_type:db_table sepgsql_sysobj_t; -allow postgresql_t sepgsql_sequence_type:db_sequence { create drop getattr setattr relabelfrom relabelto get_value next_value set_value }; +allow postgresql_t sepgsql_sequence_type:db_sequence { create drop get_value getattr next_value relabelfrom relabelto set_value setattr }; type_transition postgresql_t sepgsql_schema_type:db_sequence sepgsql_seq_t; -allow postgresql_t sepgsql_view_type:db_view { create drop getattr setattr relabelfrom relabelto expand }; +allow postgresql_t sepgsql_view_type:db_view { create drop expand getattr relabelfrom relabelto setattr }; type_transition postgresql_t sepgsql_schema_type:db_view sepgsql_view_t; -allow postgresql_t sepgsql_procedure_type:db_procedure { create drop getattr setattr relabelfrom relabelto execute entrypoint install }; +allow postgresql_t sepgsql_procedure_type:db_procedure { create drop entrypoint execute getattr install relabelfrom relabelto setattr }; type_transition postgresql_t sepgsql_schema_type:db_procedure sepgsql_proc_exec_t; -allow postgresql_t sepgsql_blob_type:db_blob { create drop getattr setattr relabelfrom relabelto read write import export }; +allow postgresql_t sepgsql_blob_type:db_blob { create drop export getattr import read relabelfrom relabelto setattr write }; type_transition postgresql_t sepgsql_database_type:db_blob sepgsql_blob_t; manage_dirs_pattern(postgresql_t, postgresql_db_t, postgresql_db_t) @@ -424,39 +424,39 @@ postgresql_unconfined(sepgsql_ranged_proc_t) # Rules common to all clients # -allow sepgsql_client_type sepgsql_db_t:db_database { getattr access get_param set_param }; +allow sepgsql_client_type sepgsql_db_t:db_database { access get_param getattr set_param }; type_transition sepgsql_client_type sepgsql_client_type:db_database sepgsql_db_t; allow sepgsql_client_type sepgsql_schema_t:db_schema { getattr search }; -allow sepgsql_client_type sepgsql_fixed_table_t:db_table { getattr select insert lock }; -allow sepgsql_client_type sepgsql_fixed_table_t:db_column { getattr select insert }; -allow sepgsql_client_type sepgsql_fixed_table_t:db_tuple { select insert }; +allow sepgsql_client_type sepgsql_fixed_table_t:db_table { getattr insert lock select }; +allow sepgsql_client_type sepgsql_fixed_table_t:db_column { getattr insert select }; +allow sepgsql_client_type sepgsql_fixed_table_t:db_tuple { insert select }; -allow sepgsql_client_type sepgsql_table_t:db_table { getattr select update insert delete lock }; -allow sepgsql_client_type sepgsql_table_t:db_column { getattr select update insert }; -allow sepgsql_client_type sepgsql_table_t:db_tuple { select update insert delete }; +allow sepgsql_client_type sepgsql_table_t:db_table { delete getattr insert lock select update }; +allow sepgsql_client_type sepgsql_table_t:db_column { getattr insert select update }; +allow sepgsql_client_type sepgsql_table_t:db_tuple { delete insert select update }; -allow sepgsql_client_type sepgsql_ro_table_t:db_table { getattr select lock }; +allow sepgsql_client_type sepgsql_ro_table_t:db_table { getattr lock select }; allow sepgsql_client_type sepgsql_ro_table_t:db_column { getattr select }; allow sepgsql_client_type sepgsql_ro_table_t:db_tuple { select }; allow sepgsql_client_type sepgsql_secret_table_t:db_table getattr; allow sepgsql_client_type sepgsql_secret_table_t:db_column getattr; -allow sepgsql_client_type sepgsql_sysobj_t:db_table { getattr select lock }; +allow sepgsql_client_type sepgsql_sysobj_t:db_table { getattr lock select }; allow sepgsql_client_type sepgsql_sysobj_t:db_column { getattr select }; -allow sepgsql_client_type sepgsql_sysobj_t:db_tuple { use select }; +allow sepgsql_client_type sepgsql_sysobj_t:db_tuple { select use }; -allow sepgsql_client_type sepgsql_seq_t:db_sequence { getattr get_value next_value }; +allow sepgsql_client_type sepgsql_seq_t:db_sequence { get_value getattr next_value }; -allow sepgsql_client_type sepgsql_view_t:db_view { getattr expand }; +allow sepgsql_client_type sepgsql_view_t:db_view { expand getattr }; -allow sepgsql_client_type sepgsql_proc_exec_t:db_procedure { getattr execute install }; -allow sepgsql_client_type sepgsql_trusted_procedure_type:db_procedure { getattr execute entrypoint }; +allow sepgsql_client_type sepgsql_proc_exec_t:db_procedure { execute getattr install }; +allow sepgsql_client_type sepgsql_trusted_procedure_type:db_procedure { entrypoint execute getattr }; allow sepgsql_client_type sepgsql_lang_t:db_language { getattr }; -allow sepgsql_client_type sepgsql_safe_lang_t:db_language { getattr execute }; +allow sepgsql_client_type sepgsql_safe_lang_t:db_language { execute getattr }; # Only DBA can implement SQL procedures using `unsafe' procedural languages. # The `unsafe' one provides a capability to access internal data structure, @@ -464,7 +464,7 @@ allow sepgsql_client_type sepgsql_safe_lang_t:db_language { getattr execute }; allow sepgsql_proc_exec_t sepgsql_lang_t:db_language { implement }; allow sepgsql_procedure_type sepgsql_safe_lang_t:db_language { implement }; -allow sepgsql_client_type sepgsql_blob_t:db_blob { create drop getattr setattr read write }; +allow sepgsql_client_type sepgsql_blob_t:db_blob { create drop getattr read setattr write }; allow sepgsql_client_type sepgsql_ro_blob_t:db_blob { getattr read }; allow sepgsql_client_type sepgsql_secret_blob_t:db_blob getattr; @@ -479,16 +479,16 @@ allow sepgsql_client_type sepgsql_secret_blob_t:db_blob getattr; # to access classified tuples and can make a audit record. # # Therefore, the following rule is applied for any domains which can connect SE-PostgreSQL. -dontaudit { postgresql_t sepgsql_admin_type sepgsql_client_type sepgsql_unconfined_type } { sepgsql_table_type -sepgsql_sysobj_table_type }:db_tuple { use select update insert delete }; +dontaudit { postgresql_t sepgsql_admin_type sepgsql_client_type sepgsql_unconfined_type } { sepgsql_table_type -sepgsql_sysobj_table_type }:db_tuple { delete insert select update use }; # It is always allowed to operate temporary objects for any database client. -allow sepgsql_client_type sepgsql_temp_object_t:db_schema { create drop getattr setattr search add_name remove_name }; -allow sepgsql_client_type sepgsql_temp_object_t:db_table { create drop getattr setattr select update insert delete lock }; -allow sepgsql_client_type sepgsql_temp_object_t:db_column { create drop getattr setattr select update insert }; -allow sepgsql_client_type sepgsql_temp_object_t:db_tuple { use select update insert delete }; -allow sepgsql_client_type sepgsql_temp_object_t:db_sequence { create drop getattr setattr get_value next_value set_value }; -allow sepgsql_client_type sepgsql_temp_object_t:db_view { create drop getattr setattr expand }; -allow sepgsql_client_type sepgsql_temp_object_t:db_procedure { create drop getattr setattr execute entrypoint install }; +allow sepgsql_client_type sepgsql_temp_object_t:db_schema { add_name create drop getattr remove_name search setattr }; +allow sepgsql_client_type sepgsql_temp_object_t:db_table { create delete drop getattr insert lock select setattr update }; +allow sepgsql_client_type sepgsql_temp_object_t:db_column { create drop getattr insert select setattr update }; +allow sepgsql_client_type sepgsql_temp_object_t:db_tuple { delete insert select update use }; +allow sepgsql_client_type sepgsql_temp_object_t:db_sequence { create drop get_value getattr next_value set_value setattr }; +allow sepgsql_client_type sepgsql_temp_object_t:db_view { create drop expand getattr setattr }; +allow sepgsql_client_type sepgsql_temp_object_t:db_procedure { create drop entrypoint execute getattr install setattr }; # Note that permission of creation/deletion are eventually controlled by # create or drop permission of individual objects within shared schemas. @@ -502,23 +502,23 @@ tunable_policy(`sepgsql_enable_users_ddl',` # Rules common to administrator clients # -allow sepgsql_admin_type sepgsql_database_type:db_database { create drop getattr setattr relabelfrom relabelto access }; +allow sepgsql_admin_type sepgsql_database_type:db_database { access create drop getattr relabelfrom relabelto setattr }; -allow sepgsql_admin_type sepgsql_schema_type:db_schema { create drop getattr setattr relabelfrom relabelto search add_name remove_name }; +allow sepgsql_admin_type sepgsql_schema_type:db_schema { add_name create drop getattr relabelfrom relabelto remove_name search setattr }; type_transition sepgsql_admin_type sepgsql_database_type:db_schema sepgsql_schema_t; type_transition sepgsql_admin_type sepgsql_database_type:db_schema sepgsql_temp_object_t "pg_temp"; -allow sepgsql_admin_type sepgsql_table_type:db_table { create drop getattr setattr relabelfrom relabelto lock }; -allow sepgsql_admin_type sepgsql_table_type:db_column { create drop getattr setattr relabelfrom relabelto }; -allow sepgsql_admin_type sepgsql_sysobj_table_type:db_tuple { relabelfrom relabelto use select update insert delete }; +allow sepgsql_admin_type sepgsql_table_type:db_table { create drop getattr lock relabelfrom relabelto setattr }; +allow sepgsql_admin_type sepgsql_table_type:db_column { create drop getattr relabelfrom relabelto setattr }; +allow sepgsql_admin_type sepgsql_sysobj_table_type:db_tuple { delete insert relabelfrom relabelto select update use }; type_transition sepgsql_admin_type sepgsql_schema_type:db_table sepgsql_table_t; -allow sepgsql_admin_type sepgsql_sequence_type:db_sequence { create drop getattr setattr relabelfrom relabelto get_value next_value set_value }; +allow sepgsql_admin_type sepgsql_sequence_type:db_sequence { create drop get_value getattr next_value relabelfrom relabelto set_value setattr }; type_transition sepgsql_admin_type sepgsql_schema_type:db_sequence sepgsql_seq_t; -allow sepgsql_admin_type sepgsql_view_type:db_view { create drop getattr setattr relabelfrom relabelto expand }; +allow sepgsql_admin_type sepgsql_view_type:db_view { create drop expand getattr relabelfrom relabelto setattr }; type_transition sepgsql_admin_type sepgsql_schema_type:db_view sepgsql_view_t; @@ -527,19 +527,19 @@ allow sepgsql_admin_type sepgsql_proc_exec_t:db_procedure execute; type_transition sepgsql_admin_type sepgsql_schema_type:db_procedure sepgsql_proc_exec_t; -allow sepgsql_admin_type sepgsql_temp_object_t:db_schema { create drop getattr setattr search add_name remove_name }; -allow sepgsql_admin_type sepgsql_temp_object_t:db_table { create drop getattr setattr select update insert delete lock }; -allow sepgsql_admin_type sepgsql_temp_object_t:db_column { create drop getattr setattr select update insert }; -allow sepgsql_admin_type sepgsql_temp_object_t:db_tuple { use select update insert delete }; -allow sepgsql_admin_type sepgsql_temp_object_t:db_sequence { create drop getattr setattr get_value next_value set_value }; -allow sepgsql_admin_type sepgsql_temp_object_t:db_view { create drop getattr setattr expand }; -allow sepgsql_admin_type sepgsql_temp_object_t:db_procedure { create drop getattr setattr execute entrypoint install }; +allow sepgsql_admin_type sepgsql_temp_object_t:db_schema { add_name create drop getattr remove_name search setattr }; +allow sepgsql_admin_type sepgsql_temp_object_t:db_table { create delete drop getattr insert lock select setattr update }; +allow sepgsql_admin_type sepgsql_temp_object_t:db_column { create drop getattr insert select setattr update }; +allow sepgsql_admin_type sepgsql_temp_object_t:db_tuple { delete insert select update use }; +allow sepgsql_admin_type sepgsql_temp_object_t:db_sequence { create drop get_value getattr next_value set_value setattr }; +allow sepgsql_admin_type sepgsql_temp_object_t:db_view { create drop expand getattr setattr }; +allow sepgsql_admin_type sepgsql_temp_object_t:db_procedure { create drop entrypoint execute getattr install setattr }; -allow sepgsql_admin_type sepgsql_language_type:db_language { create drop getattr setattr relabelfrom relabelto execute }; +allow sepgsql_admin_type sepgsql_language_type:db_language { create drop execute getattr relabelfrom relabelto setattr }; type_transition sepgsql_admin_type sepgsql_database_type:db_language sepgsql_lang_t; -allow sepgsql_admin_type sepgsql_blob_type:db_blob { create drop getattr setattr relabelfrom relabelto }; +allow sepgsql_admin_type sepgsql_blob_type:db_blob { create drop getattr relabelfrom relabelto setattr }; type_transition sepgsql_admin_type sepgsql_database_type:db_blob sepgsql_blob_t; @@ -548,23 +548,23 @@ allow sepgsql_admin_type sepgsql_module_type:db_database install_module; kernel_relabelfrom_unlabeled_database(sepgsql_admin_type) tunable_policy(`sepgsql_unconfined_dbadm',` - allow sepgsql_admin_type sepgsql_database_type:db_database { create drop getattr setattr relabelfrom relabelto access install_module load_module get_param set_param }; + allow sepgsql_admin_type sepgsql_database_type:db_database { access create drop get_param getattr install_module load_module relabelfrom relabelto set_param setattr }; - allow sepgsql_admin_type sepgsql_schema_type:db_schema { create drop getattr setattr relabelfrom relabelto search add_name remove_name }; + allow sepgsql_admin_type sepgsql_schema_type:db_schema { add_name create drop getattr relabelfrom relabelto remove_name search setattr }; - allow sepgsql_admin_type sepgsql_table_type:db_table { create drop getattr setattr relabelfrom relabelto select update insert delete lock }; - allow sepgsql_admin_type sepgsql_table_type:db_column { create drop getattr setattr relabelfrom relabelto select update insert }; - allow sepgsql_admin_type sepgsql_table_type:db_tuple { relabelfrom relabelto use select update insert delete }; - allow sepgsql_admin_type sepgsql_sequence_type:db_sequence { create drop getattr setattr relabelfrom relabelto get_value next_value set_value }; - allow sepgsql_admin_type sepgsql_view_type:db_view { create drop getattr setattr relabelfrom relabelto expand }; + allow sepgsql_admin_type sepgsql_table_type:db_table { create delete drop getattr insert lock relabelfrom relabelto select setattr update }; + allow sepgsql_admin_type sepgsql_table_type:db_column { create drop getattr insert relabelfrom relabelto select setattr update }; + allow sepgsql_admin_type sepgsql_table_type:db_tuple { delete insert relabelfrom relabelto select update use }; + allow sepgsql_admin_type sepgsql_sequence_type:db_sequence { create drop get_value getattr next_value relabelfrom relabelto set_value setattr }; + allow sepgsql_admin_type sepgsql_view_type:db_view { create drop expand getattr relabelfrom relabelto setattr }; - allow sepgsql_admin_type sepgsql_proc_exec_t:db_procedure { create drop getattr setattr relabelfrom relabelto execute entrypoint install }; - allow sepgsql_admin_type sepgsql_trusted_procedure_type:db_procedure { create drop getattr setattr relabelfrom relabelto execute entrypoint }; - allow sepgsql_admin_type sepgsql_procedure_type:db_procedure { create drop getattr setattr relabelfrom relabelto entrypoint }; + allow sepgsql_admin_type sepgsql_proc_exec_t:db_procedure { create drop entrypoint execute getattr install relabelfrom relabelto setattr }; + allow sepgsql_admin_type sepgsql_trusted_procedure_type:db_procedure { create drop entrypoint execute getattr relabelfrom relabelto setattr }; + allow sepgsql_admin_type sepgsql_procedure_type:db_procedure { create drop entrypoint getattr relabelfrom relabelto setattr }; - allow sepgsql_admin_type sepgsql_language_type:db_language { create drop getattr setattr relabelfrom relabelto execute }; + allow sepgsql_admin_type sepgsql_language_type:db_language { create drop execute getattr relabelfrom relabelto setattr }; - allow sepgsql_admin_type sepgsql_blob_type:db_blob { create drop getattr setattr relabelfrom relabelto read write import export }; + allow sepgsql_admin_type sepgsql_blob_type:db_blob { create drop export getattr import read relabelfrom relabelto setattr write }; ') ######################################## @@ -572,9 +572,9 @@ tunable_policy(`sepgsql_unconfined_dbadm',` # Unconfined access to this module # -allow sepgsql_unconfined_type sepgsql_database_type:db_database { create drop getattr setattr relabelfrom relabelto access install_module load_module get_param set_param }; +allow sepgsql_unconfined_type sepgsql_database_type:db_database { access create drop get_param getattr install_module load_module relabelfrom relabelto set_param setattr }; -allow sepgsql_unconfined_type { sepgsql_schema_type sepgsql_temp_object_t }:db_schema { create drop getattr setattr relabelfrom relabelto search add_name remove_name }; +allow sepgsql_unconfined_type { sepgsql_schema_type sepgsql_temp_object_t }:db_schema { add_name create drop getattr relabelfrom relabelto remove_name search setattr }; type_transition sepgsql_unconfined_type sepgsql_database_type:db_schema sepgsql_schema_t; type_transition sepgsql_unconfined_type sepgsql_database_type:db_schema sepgsql_temp_object_t "pg_temp"; @@ -585,21 +585,21 @@ type_transition sepgsql_unconfined_type sepgsql_schema_type:db_procedure sepgsql type_transition sepgsql_unconfined_type sepgsql_database_type:db_language sepgsql_lang_t; type_transition sepgsql_unconfined_type sepgsql_database_type:db_blob sepgsql_blob_t; -allow sepgsql_unconfined_type sepgsql_table_type:db_table { create drop getattr setattr relabelfrom relabelto select update insert delete lock }; -allow sepgsql_unconfined_type sepgsql_table_type:db_column { create drop getattr setattr relabelfrom relabelto select update insert }; -allow sepgsql_unconfined_type sepgsql_table_type:db_tuple { relabelfrom relabelto use select update insert delete }; -allow sepgsql_unconfined_type sepgsql_sequence_type:db_sequence { create drop getattr setattr relabelfrom relabelto get_value next_value set_value }; -allow sepgsql_unconfined_type sepgsql_view_type:db_view { create drop getattr setattr relabelfrom relabelto expand }; +allow sepgsql_unconfined_type sepgsql_table_type:db_table { create delete drop getattr insert lock relabelfrom relabelto select setattr update }; +allow sepgsql_unconfined_type sepgsql_table_type:db_column { create drop getattr insert relabelfrom relabelto select setattr update }; +allow sepgsql_unconfined_type sepgsql_table_type:db_tuple { delete insert relabelfrom relabelto select update use }; +allow sepgsql_unconfined_type sepgsql_sequence_type:db_sequence { create drop get_value getattr next_value relabelfrom relabelto set_value setattr }; +allow sepgsql_unconfined_type sepgsql_view_type:db_view { create drop expand getattr relabelfrom relabelto setattr }; # unconfined domain is not allowed to invoke user defined procedure directly. # They have to confirm and relabel it at first. -allow sepgsql_unconfined_type sepgsql_proc_exec_t:db_procedure { create drop getattr setattr relabelfrom relabelto execute entrypoint install }; -allow sepgsql_unconfined_type sepgsql_trusted_procedure_type:db_procedure { create drop getattr setattr relabelfrom relabelto execute entrypoint }; -allow sepgsql_unconfined_type sepgsql_procedure_type:db_procedure { create drop getattr setattr relabelfrom relabelto entrypoint }; +allow sepgsql_unconfined_type sepgsql_proc_exec_t:db_procedure { create drop entrypoint execute getattr install relabelfrom relabelto setattr }; +allow sepgsql_unconfined_type sepgsql_trusted_procedure_type:db_procedure { create drop entrypoint execute getattr relabelfrom relabelto setattr }; +allow sepgsql_unconfined_type sepgsql_procedure_type:db_procedure { create drop entrypoint getattr relabelfrom relabelto setattr }; -allow sepgsql_unconfined_type sepgsql_language_type:db_language { create drop getattr setattr relabelfrom relabelto execute }; +allow sepgsql_unconfined_type sepgsql_language_type:db_language { create drop execute getattr relabelfrom relabelto setattr }; -allow sepgsql_unconfined_type sepgsql_blob_type:db_blob { create drop getattr setattr relabelfrom relabelto read write import export }; +allow sepgsql_unconfined_type sepgsql_blob_type:db_blob { create drop export getattr import read relabelfrom relabelto setattr write }; allow sepgsql_unconfined_type sepgsql_module_type:db_database install_module; diff --git a/policy/modules/services/quantum.te b/policy/modules/services/quantum.te index 1c1446ff18..0c9c6ec324 100644 --- a/policy/modules/services/quantum.te +++ b/policy/modules/services/quantum.te @@ -27,7 +27,7 @@ files_type(quantum_var_lib_t) # allow quantum_t self:capability { setgid setuid sys_resource }; -allow quantum_t self:process { setsched setrlimit }; +allow quantum_t self:process { setrlimit setsched }; allow quantum_t self:fifo_file rw_fifo_file_perms; allow quantum_t self:key manage_key_perms; allow quantum_t self:tcp_socket { accept listen }; diff --git a/policy/modules/services/razor.te b/policy/modules/services/razor.te index 8f2f3b6115..2d2800649f 100644 --- a/policy/modules/services/razor.te +++ b/policy/modules/services/razor.te @@ -39,7 +39,7 @@ role system_r types system_razor_t; # Common razor domain local policy # -allow razor_domain self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; +allow razor_domain self:process { dyntransition getattr getcap getpgid getrlimit getsched getsession noatsecure rlimitinh setcap setkeycreate setpgid setsched setsockcreate share siginh signal_perms transition }; allow razor_domain self:fd use; allow razor_domain self:fifo_file rw_fifo_file_perms; allow razor_domain self:unix_dgram_socket sendto; diff --git a/policy/modules/services/redis.te b/policy/modules/services/redis.te index 3ac378f9d5..676677348d 100644 --- a/policy/modules/services/redis.te +++ b/policy/modules/services/redis.te @@ -29,7 +29,7 @@ files_type(redis_var_lib_t) # Local policy # -allow redis_t self:process { setrlimit signal_perms getsched }; +allow redis_t self:process { getsched setrlimit signal_perms }; allow redis_t self:fifo_file rw_fifo_file_perms; allow redis_t self:unix_stream_socket create_stream_socket_perms; allow redis_t self:tcp_socket create_stream_socket_perms; diff --git a/policy/modules/services/remotelogin.te b/policy/modules/services/remotelogin.te index f9a9beccbe..48efc67ee9 100644 --- a/policy/modules/services/remotelogin.te +++ b/policy/modules/services/remotelogin.te @@ -19,8 +19,8 @@ files_tmp_file(remote_login_tmp_t) # allow remote_login_t self:capability { chown dac_override fowner fsetid kill net_bind_service setgid setuid sys_nice sys_resource sys_tty_config }; -allow remote_login_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; -allow remote_login_t self:process { setrlimit setexec }; +allow remote_login_t self:process { dyntransition getattr getcap getpgid getrlimit getsched getsession noatsecure rlimitinh setcap setkeycreate setpgid setsched setsockcreate share siginh signal_perms transition }; +allow remote_login_t self:process { setexec setrlimit }; allow remote_login_t self:fd use; allow remote_login_t self:fifo_file rw_fifo_file_perms; allow remote_login_t self:unix_dgram_socket sendto; diff --git a/policy/modules/services/rhsmcertd.te b/policy/modules/services/rhsmcertd.te index b4e60ab1ad..af2964ca1e 100644 --- a/policy/modules/services/rhsmcertd.te +++ b/policy/modules/services/rhsmcertd.te @@ -30,7 +30,7 @@ files_type(rhsmcertd_var_lib_t) # allow rhsmcertd_t self:capability sys_nice; -allow rhsmcertd_t self:process { signal setsched }; +allow rhsmcertd_t self:process { setsched signal }; allow rhsmcertd_t self:fifo_file rw_fifo_file_perms; allow rhsmcertd_t self:unix_stream_socket create_stream_socket_perms; diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te index 1909d504b0..0b1fa1a4e2 100644 --- a/policy/modules/services/rpc.te +++ b/policy/modules/services/rpc.te @@ -313,7 +313,7 @@ optional_policy(` # NFSD local policy # -allow nfsd_t self:capability { dac_override dac_read_search setpcap sys_admin sys_resource lease }; +allow nfsd_t self:capability { dac_override dac_read_search lease setpcap sys_admin sys_resource }; allow nfsd_t self:process setcap; allow nfsd_t exports_t:file read_file_perms; diff --git a/policy/modules/services/rshd.te b/policy/modules/services/rshd.te index c88d40ec1a..0323f7f1bc 100644 --- a/policy/modules/services/rshd.te +++ b/policy/modules/services/rshd.te @@ -19,7 +19,7 @@ files_type(rshd_keytab_t) # allow rshd_t self:capability { chown dac_override fowner fsetid kill setgid setuid }; -allow rshd_t self:process { signal_perms setsched setpgid setexec }; +allow rshd_t self:process { setexec setpgid setsched signal_perms }; allow rshd_t self:fifo_file rw_fifo_file_perms; allow rshd_t self:tcp_socket create_stream_socket_perms; diff --git a/policy/modules/services/rtkit.te b/policy/modules/services/rtkit.te index 34a64003a4..301c8e0086 100644 --- a/policy/modules/services/rtkit.te +++ b/policy/modules/services/rtkit.te @@ -22,7 +22,7 @@ init_unit_file(rtkit_daemon_unit_t) allow rtkit_daemon_t self:capability { dac_read_search setgid setpcap setuid sys_chroot sys_nice sys_ptrace }; allow rtkit_daemon_t self:cap_userns { sys_nice sys_ptrace }; -allow rtkit_daemon_t self:process { setsched getcap setcap setrlimit }; +allow rtkit_daemon_t self:process { getcap setcap setrlimit setsched }; kernel_read_system_state(rtkit_daemon_t) diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te index f78d316cc5..a4dc705cc9 100644 --- a/policy/modules/services/samba.te +++ b/policy/modules/services/samba.te @@ -201,7 +201,7 @@ files_tmp_file(winbind_tmp_t) allow samba_net_t self:capability { dac_override dac_read_search sys_chroot sys_nice }; allow samba_net_t self:capability2 block_suspend; -allow samba_net_t self:process { sigkill getsched setsched }; +allow samba_net_t self:process { getsched setsched sigkill }; allow samba_net_t self:unix_stream_socket { accept listen }; allow samba_net_t self:fifo_file rw_inherited_fifo_file_perms; @@ -268,11 +268,11 @@ optional_policy(` # allow smbd_t self:capability { chown dac_override dac_read_search fowner fsetid kill lease setgid setuid sys_admin sys_chroot sys_nice sys_resource }; -dontaudit smbd_t self:capability { sys_tty_config net_admin }; -allow smbd_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; +dontaudit smbd_t self:capability { net_admin sys_tty_config }; +allow smbd_t self:process { dyntransition getattr getcap getpgid getrlimit getsched getsession noatsecure rlimitinh setcap setkeycreate setpgid setrlimit setsched setsockcreate share siginh signal_perms transition }; allow smbd_t self:fd use; allow smbd_t self:fifo_file rw_fifo_file_perms; -allow smbd_t self:msg { send receive }; +allow smbd_t self:msg { receive send }; allow smbd_t self:msgq create_msgq_perms; allow smbd_t self:sem create_sem_perms; allow smbd_t self:shm create_shm_perms; @@ -518,11 +518,11 @@ optional_policy(` # Nmbd Local policy # -dontaudit nmbd_t self:capability { sys_tty_config net_admin }; -allow nmbd_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; +dontaudit nmbd_t self:capability { net_admin sys_tty_config }; +allow nmbd_t self:process { dyntransition getattr getcap getpgid getrlimit getsched getsession noatsecure rlimitinh setcap setkeycreate setpgid setsched setsockcreate share siginh signal_perms transition }; allow nmbd_t self:fd use; allow nmbd_t self:fifo_file rw_fifo_file_perms; -allow nmbd_t self:msg { send receive }; +allow nmbd_t self:msg { receive send }; allow nmbd_t self:msgq create_msgq_perms; allow nmbd_t self:sem create_sem_perms; allow nmbd_t self:shm create_shm_perms; @@ -746,7 +746,7 @@ allow swat_t self:unix_stream_socket connectto; allow swat_t { nmbd_t smbd_t }:process { signal signull }; allow swat_t samba_runtime_t:file read_file_perms; -allow swat_t samba_runtime_t:file { lock delete_file_perms }; +allow swat_t samba_runtime_t:file { delete_file_perms lock }; rw_files_pattern(swat_t, samba_etc_t, samba_etc_t) read_lnk_files_pattern(swat_t, samba_etc_t, samba_etc_t) @@ -853,7 +853,7 @@ optional_policy(` allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice }; dontaudit winbind_t self:capability sys_tty_config; dontaudit winbind_t self:cap_userns kill; -allow winbind_t self:process { signal_perms getsched setsched }; +allow winbind_t self:process { getsched setsched signal_perms }; allow winbind_t self:fifo_file rw_fifo_file_perms; allow winbind_t self:unix_stream_socket { accept listen }; allow winbind_t self:tcp_socket { accept listen }; diff --git a/policy/modules/services/sanlock.te b/policy/modules/services/sanlock.te index 5c461ef62a..f94a7a8d41 100644 --- a/policy/modules/services/sanlock.te +++ b/policy/modules/services/sanlock.te @@ -44,7 +44,7 @@ ifdef(`enable_mls',` # allow sanlock_t self:capability { chown dac_override ipc_lock kill setgid setuid sys_nice sys_resource }; -allow sanlock_t self:process { setrlimit setsched signull signal sigkill }; +allow sanlock_t self:process { setrlimit setsched sigkill signal signull }; allow sanlock_t self:fifo_file rw_fifo_file_perms; allow sanlock_t self:unix_stream_socket { accept listen }; diff --git a/policy/modules/services/sendmail.te b/policy/modules/services/sendmail.te index ba31f3e3ab..95c8976515 100644 --- a/policy/modules/services/sendmail.te +++ b/policy/modules/services/sendmail.te @@ -42,7 +42,7 @@ role sendmail_unconfined_roles types unconfined_sendmail_t; # allow sendmail_t self:capability { chown dac_override setgid setuid sys_nice sys_tty_config }; -allow sendmail_t self:process { setsched setpgid setrlimit signal signull }; +allow sendmail_t self:process { setpgid setrlimit setsched signal signull }; allow sendmail_t self:fifo_file rw_fifo_file_perms; allow sendmail_t self:unix_stream_socket { accept listen }; allow sendmail_t self:tcp_socket { accept listen }; diff --git a/policy/modules/services/setroubleshoot.te b/policy/modules/services/setroubleshoot.te index b21e2ffa21..e83599c32b 100644 --- a/policy/modules/services/setroubleshoot.te +++ b/policy/modules/services/setroubleshoot.te @@ -28,7 +28,7 @@ logging_log_file(setroubleshoot_var_log_t) # allow setroubleshootd_t self:capability { dac_override sys_nice sys_ptrace sys_tty_config }; -allow setroubleshootd_t self:process { getattr getsched setsched sigkill signull signal execmem execstack }; +allow setroubleshootd_t self:process { execmem execstack getattr getsched setsched sigkill signal signull }; allow setroubleshootd_t self:fifo_file rw_fifo_file_perms; allow setroubleshootd_t self:tcp_socket { accept listen }; allow setroubleshootd_t self:unix_stream_socket { accept connectto listen }; @@ -152,7 +152,7 @@ optional_policy(` # allow setroubleshoot_fixit_t self:capability sys_nice; -allow setroubleshoot_fixit_t self:process { setsched getsched }; +allow setroubleshoot_fixit_t self:process { getsched setsched }; allow setroubleshoot_fixit_t self:fifo_file rw_fifo_file_perms; allow setroubleshoot_fixit_t setroubleshootd_t:process signull; diff --git a/policy/modules/services/smartmon.te b/policy/modules/services/smartmon.te index e7ecd98396..55b46d7970 100644 --- a/policy/modules/services/smartmon.te +++ b/policy/modules/services/smartmon.te @@ -42,7 +42,7 @@ init_system_domain(smartmon_update_drivedb_t, smartmon_update_drivedb_exec_t) # Local policy # -allow fsdaemon_t self:capability { dac_override kill setgid setuid setpcap sys_admin sys_rawio }; +allow fsdaemon_t self:capability { dac_override kill setgid setpcap setuid sys_admin sys_rawio }; dontaudit fsdaemon_t self:capability { net_admin sys_tty_config }; allow fsdaemon_t self:process { getcap setcap signal_perms }; allow fsdaemon_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te index b498e894be..4de9c82d09 100644 --- a/policy/modules/services/snmp.te +++ b/policy/modules/services/snmp.te @@ -29,7 +29,7 @@ files_type(snmpd_var_lib_t) allow snmpd_t self:capability { chown dac_override ipc_lock kill net_admin setgid setuid sys_nice sys_ptrace sys_tty_config }; dontaudit snmpd_t self:capability { sys_module sys_tty_config }; allow snmpd_t self:cap_userns sys_ptrace; -allow snmpd_t self:process { signal_perms getsched setsched }; +allow snmpd_t self:process { getsched setsched signal_perms }; allow snmpd_t self:fifo_file rw_fifo_file_perms; allow snmpd_t self:unix_stream_socket { accept connectto listen }; allow snmpd_t self:tcp_socket { accept listen }; diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te index 1d28b30696..1c3a83f965 100644 --- a/policy/modules/services/spamassassin.te +++ b/policy/modules/services/spamassassin.te @@ -119,7 +119,7 @@ role system_r types spamd_update_t; # Standalone local policy # -allow spamassassin_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; +allow spamassassin_t self:process { dyntransition getattr getcap getpgid getrlimit getsched getsession noatsecure rlimitinh setcap setkeycreate setpgid setsched setsockcreate share siginh signal_perms transition }; allow spamassassin_t self:fd use; allow spamassassin_t self:fifo_file rw_fifo_file_perms; allow spamassassin_t self:unix_dgram_socket sendto; @@ -196,7 +196,7 @@ optional_policy(` # allow spamc_t self:capability dac_override; -allow spamc_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; +allow spamc_t self:process { dyntransition getattr getcap getpgid getrlimit getsched getsession noatsecure rlimitinh setcap setkeycreate setpgid setsched setsockcreate share siginh signal_perms transition }; allow spamc_t self:fd use; allow spamc_t self:fifo_file rw_fifo_file_perms; allow spamc_t self:unix_dgram_socket sendto; @@ -311,7 +311,7 @@ optional_policy(` # allow spamd_t self:capability { dac_override kill setgid setuid }; -allow spamd_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; +allow spamd_t self:process { dyntransition getattr getcap getpgid getrlimit getsched getsession noatsecure rlimitinh setcap setkeycreate setpgid setsched setsockcreate share siginh signal_perms transition }; allow spamd_t self:fd use; allow spamd_t self:fifo_file rw_fifo_file_perms; allow spamd_t self:unix_dgram_socket sendto; diff --git a/policy/modules/services/squid.te b/policy/modules/services/squid.te index 9c0933c79b..b8a79f3b16 100644 --- a/policy/modules/services/squid.te +++ b/policy/modules/services/squid.te @@ -61,13 +61,13 @@ files_tmpfs_file(squid_tmpfs_t) allow squid_t self:capability { dac_override kill setgid setuid sys_resource }; dontaudit squid_t self:capability sys_tty_config; -allow squid_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; +allow squid_t self:process { dyntransition getattr getcap getpgid getrlimit getsched getsession noatsecure rlimitinh setcap setkeycreate setpgid setrlimit setsched setsockcreate share siginh signal_perms transition }; allow squid_t self:fifo_file rw_fifo_file_perms; allow squid_t self:fd use; allow squid_t self:shm create_shm_perms; allow squid_t self:sem create_sem_perms; allow squid_t self:msgq create_msgq_perms; -allow squid_t self:msg { send receive }; +allow squid_t self:msg { receive send }; allow squid_t self:unix_dgram_socket sendto; allow squid_t self:unix_stream_socket { accept connectto listen }; allow squid_t self:tcp_socket { accept listen }; diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if index 4b5fd5d33f..b3394bd920 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -56,15 +56,15 @@ template(`ssh_basic_client_template',` # allow $1_ssh_t self:capability { dac_override dac_read_search setgid setuid }; - allow $1_ssh_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; + allow $1_ssh_t self:process { dyntransition getattr getcap getpgid getrlimit getsched getsession noatsecure rlimitinh setcap setkeycreate setpgid setsched setsockcreate share siginh signal_perms transition }; allow $1_ssh_t self:fd use; allow $1_ssh_t self:fifo_file rw_inherited_fifo_file_perms; allow $1_ssh_t self:unix_dgram_socket { create_socket_perms sendto }; - allow $1_ssh_t self:unix_stream_socket { create_stream_socket_perms connectto }; + allow $1_ssh_t self:unix_stream_socket { connectto create_stream_socket_perms }; allow $1_ssh_t self:shm create_shm_perms; allow $1_ssh_t self:sem create_sem_perms; allow $1_ssh_t self:msgq create_msgq_perms; - allow $1_ssh_t self:msg { send receive }; + allow $1_ssh_t self:msg { receive send }; allow $1_ssh_t self:tcp_socket create_stream_socket_perms; # for rsync @@ -198,14 +198,14 @@ template(`ssh_server_template', ` # net_admin is for SO_SNDBUFFORCE dontaudit $1_t self:capability net_admin; allow $1_t self:fifo_file rw_fifo_file_perms; - allow $1_t self:process { signal getsched setsched setrlimit setexec setkeycreate }; + allow $1_t self:process { getsched setexec setkeycreate setrlimit setsched signal }; allow $1_t self:tcp_socket create_stream_socket_perms; allow $1_t self:udp_socket create_socket_perms; # ssh agent connections: allow $1_t self:unix_stream_socket create_stream_socket_perms; allow $1_t self:shm create_shm_perms; - allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom }; + allow $1_t $1_devpts_t:chr_file { getattr relabelfrom rw_chr_file_perms setattr }; term_create_pty($1_t, $1_devpts_t) manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) @@ -380,7 +380,7 @@ template(`ssh_role_template',` allow $1_ssh_agent_t { $1_ssh_agent_t $3 }:process signull; - allow $1_ssh_agent_t self:unix_stream_socket { create_stream_socket_perms connectto }; + allow $1_ssh_agent_t self:unix_stream_socket { connectto create_stream_socket_perms }; manage_dirs_pattern($1_ssh_agent_t, ssh_agent_tmp_t, ssh_agent_tmp_t) manage_sock_files_pattern($1_ssh_agent_t, ssh_agent_tmp_t, ssh_agent_tmp_t) diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te index a93f2447d9..2d10ecb736 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -86,16 +86,16 @@ ifdef(`distro_debian',` # allow ssh_t self:capability { dac_override dac_read_search setgid setuid }; -allow ssh_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; +allow ssh_t self:process { dyntransition getattr getcap getpgid getrlimit getsched getsession noatsecure rlimitinh setcap setkeycreate setpgid setsched setsockcreate share siginh signal_perms transition }; allow ssh_t self:fd use; allow ssh_t self:fifo_file rw_fifo_file_perms; allow ssh_t self:key manage_key_perms; allow ssh_t self:unix_dgram_socket { create_socket_perms sendto }; -allow ssh_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow ssh_t self:unix_stream_socket { connectto create_stream_socket_perms }; allow ssh_t self:shm create_shm_perms; allow ssh_t self:sem create_sem_perms; allow ssh_t self:msgq create_msgq_perms; -allow ssh_t self:msg { send receive }; +allow ssh_t self:msg { receive send }; allow ssh_t self:tcp_socket create_stream_socket_perms; # Read the ssh key file. @@ -235,7 +235,7 @@ allow sshd_t self:capability dac_read_search; # so a tunnel can point to another ssh tunnel allow sshd_t self:netlink_route_socket r_netlink_socket_perms; -allow sshd_t self:key { search link write }; +allow sshd_t self:key { link search write }; allow sshd_t sshd_keytab_t:file read_file_perms; @@ -332,7 +332,7 @@ optional_policy(` # and by sysadm_t dontaudit ssh_keygen_t self:capability sys_tty_config; -allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal }; +allow ssh_keygen_t self:process { sigchld sigkill signal signull sigstop }; allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms; diff --git a/policy/modules/services/sssd.te b/policy/modules/services/sssd.te index 1dd2d3fe35..f356770a8d 100644 --- a/policy/modules/services/sssd.te +++ b/policy/modules/services/sssd.te @@ -35,7 +35,7 @@ logging_log_file(sssd_var_log_t) allow sssd_t self:capability { chown dac_override dac_read_search kill net_admin setgid setuid sys_admin sys_nice sys_resource }; allow sssd_t self:capability2 block_suspend; -allow sssd_t self:process { setfscreate setsched sigkill signal getsched setrlimit }; +allow sssd_t self:process { getsched setfscreate setrlimit setsched sigkill signal }; allow sssd_t self:fifo_file rw_fifo_file_perms; allow sssd_t self:key manage_key_perms; allow sssd_t self:unix_stream_socket { accept connectto listen }; diff --git a/policy/modules/services/svnserve.te b/policy/modules/services/svnserve.te index ba09ad1a02..f47e1b8ac6 100644 --- a/policy/modules/services/svnserve.te +++ b/policy/modules/services/svnserve.te @@ -25,7 +25,7 @@ files_runtime_file(svnserve_runtime_t) allow svnserve_t self:fifo_file rw_fifo_file_perms; allow svnserve_t self:tcp_socket create_stream_socket_perms; -allow svnserve_t self:unix_stream_socket { listen accept }; +allow svnserve_t self:unix_stream_socket { accept listen }; manage_dirs_pattern(svnserve_t, svnserve_content_t, svnserve_content_t) manage_files_pattern(svnserve_t, svnserve_content_t, svnserve_content_t) diff --git a/policy/modules/services/sympa.if b/policy/modules/services/sympa.if index 79ed3b2a8a..9845b40dab 100644 --- a/policy/modules/services/sympa.if +++ b/policy/modules/services/sympa.if @@ -168,7 +168,7 @@ interface(`sympa_manage_runtime_sock_files',` ') allow $1 sympa_runtime_t:dir rw_dir_perms; - allow $1 sympa_runtime_t:sock_file { setattr create unlink write }; + allow $1 sympa_runtime_t:sock_file { create setattr unlink write }; ') ######################################## diff --git a/policy/modules/services/tcsd.te b/policy/modules/services/tcsd.te index 6bc5453f0b..913680c35f 100644 --- a/policy/modules/services/tcsd.te +++ b/policy/modules/services/tcsd.te @@ -24,7 +24,7 @@ files_type(tcsd_var_lib_t) # allow tcsd_t self:capability { dac_override setuid }; -allow tcsd_t self:process { signal sigkill }; +allow tcsd_t self:process { sigkill signal }; allow tcsd_t self:tcp_socket { accept listen }; manage_dirs_pattern(tcsd_t, tcsd_var_lib_t, tcsd_var_lib_t) diff --git a/policy/modules/services/thunderbolt.te b/policy/modules/services/thunderbolt.te index c65aed330e..49b4e56169 100644 --- a/policy/modules/services/thunderbolt.te +++ b/policy/modules/services/thunderbolt.te @@ -23,7 +23,7 @@ files_runtime_file(thunderboltd_runtime_t) # allow thunderboltd_t self:unix_dgram_socket { create write }; -allow thunderboltd_t self:netlink_kobject_uevent_socket { create getattr read bind getopt setopt }; +allow thunderboltd_t self:netlink_kobject_uevent_socket { bind create getattr getopt read setopt }; manage_dirs_pattern(thunderboltd_t, thunderboltd_var_lib_t, thunderboltd_var_lib_t) manage_files_pattern(thunderboltd_t, thunderboltd_var_lib_t, thunderboltd_var_lib_t) diff --git a/policy/modules/services/timidity.te b/policy/modules/services/timidity.te index 46b253ecec..19f72e507e 100644 --- a/policy/modules/services/timidity.te +++ b/policy/modules/services/timidity.te @@ -20,7 +20,7 @@ files_tmpfs_file(timidity_tmpfs_t) allow timidity_t self:capability { dac_override dac_read_search }; dontaudit timidity_t self:capability sys_tty_config; -allow timidity_t self:process { signal_perms getsched }; +allow timidity_t self:process { getsched signal_perms }; allow timidity_t self:shm create_shm_perms; allow timidity_t self:unix_stream_socket { accept listen }; allow timidity_t self:tcp_socket create_stream_socket_perms; diff --git a/policy/modules/services/tpm2.if b/policy/modules/services/tpm2.if index 1499c1c03a..2ed89eab50 100644 --- a/policy/modules/services/tpm2.if +++ b/policy/modules/services/tpm2.if @@ -162,10 +162,10 @@ interface(`tpm2_read_pipes',` interface(`tpm2_enabledisable_abrmd',` gen_require(` type tpm2_abrmd_unit_t; - class service { enable disable }; + class service { disable enable }; ') - allow $1 tpm2_abrmd_unit_t:service { enable disable }; + allow $1 tpm2_abrmd_unit_t:service { disable enable }; ') ######################################## diff --git a/policy/modules/services/vhostmd.te b/policy/modules/services/vhostmd.te index 9a866deea7..e7f1bc6fee 100644 --- a/policy/modules/services/vhostmd.te +++ b/policy/modules/services/vhostmd.te @@ -24,7 +24,7 @@ files_tmpfs_file(vhostmd_tmpfs_t) # allow vhostmd_t self:capability { dac_override ipc_lock setgid setuid }; -allow vhostmd_t self:process { setsched getsched signal }; +allow vhostmd_t self:process { getsched setsched signal }; allow vhostmd_t self:fifo_file rw_fifo_file_perms; manage_dirs_pattern(vhostmd_t, vhostmd_tmpfs_t, vhostmd_tmpfs_t) diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te index 575e5958c1..d1ca4e8102 100644 --- a/policy/modules/services/virt.te +++ b/policy/modules/services/virt.te @@ -221,7 +221,7 @@ ifdef(`enable_mls',` # Common virt domain local policy # -allow virt_domain self:process { signal getsched signull }; +allow virt_domain self:process { getsched signal signull }; allow virt_domain self:fifo_file rw_fifo_file_perms; allow virt_domain self:netlink_kobject_uevent_socket create_socket_perms; allow virt_domain self:netlink_route_socket r_netlink_socket_perms; @@ -454,7 +454,7 @@ allow virtd_t self:capability { chown dac_override dac_read_search fowner fsetid dontaudit virtd_t self:capability { sys_module sys_ptrace }; allow virtd_t self:capability2 { bpf perfmon }; allow virtd_t self:bpf { map_create map_read map_write prog_load prog_run }; -allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setrlimit setsockcreate setsched }; +allow virtd_t self:process { execmem getcap getsched setcap setexec setfscreate setrlimit setsched setsockcreate sigkill signal signull }; allow virtd_t self:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; allow virtd_t self:unix_stream_socket { accept connectto listen relabelfrom relabelto }; allow virtd_t self:tcp_socket { accept listen }; @@ -465,15 +465,15 @@ allow virtd_t self:netlink_generic_socket create_socket_perms; allow virtd_t self:netlink_kobject_uevent_socket create_socket_perms; allow virtd_t self:netlink_route_socket nlmsg_write; -allow virtd_t virt_domain:process { getattr getsched setsched transition rlimitinh signal signull sigkill }; -dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh }; +allow virtd_t virt_domain:process { getattr getsched rlimitinh setsched sigkill signal signull transition }; +dontaudit virtd_t virt_domain:process { noatsecure rlimitinh siginh }; -allow virtd_t virt_domain:unix_stream_socket { create_stream_socket_perms connectto }; +allow virtd_t virt_domain:unix_stream_socket { connectto create_stream_socket_perms }; allow virtd_t virtlogd_t:fd use; allow virtd_t virtlogd_t:fifo_file rw_fifo_file_perms; -allow virtd_t virtd_lxc_t:process { signal signull sigkill }; +allow virtd_t virtd_lxc_t:process { sigkill signal signull }; domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t) @@ -833,7 +833,7 @@ optional_policy(` # allow virsh_t self:capability { dac_override ipc_lock setpcap sys_nice sys_tty_config }; -allow virsh_t self:process { getcap getsched setsched setcap signal }; +allow virsh_t self:process { getcap getsched setcap setsched signal }; allow virsh_t self:fifo_file rw_fifo_file_perms; allow virsh_t self:unix_stream_socket { accept connectto listen }; allow virsh_t self:tcp_socket { accept listen }; @@ -974,7 +974,7 @@ optional_policy(` # allow virtd_lxc_t self:capability { chown dac_override net_admin net_raw setpcap sys_admin sys_boot sys_resource }; -allow virtd_lxc_t self:process { setexec setrlimit setsched getcap setcap signal_perms }; +allow virtd_lxc_t self:process { getcap setcap setexec setrlimit setsched signal_perms }; allow virtd_lxc_t self:fifo_file rw_fifo_file_perms; allow virtd_lxc_t self:netlink_route_socket nlmsg_write; allow virtd_lxc_t self:unix_stream_socket { accept listen }; @@ -1114,7 +1114,7 @@ optional_policy(` # Bridgehelper local policy # -allow virt_bridgehelper_t self:process { setcap getcap }; +allow virt_bridgehelper_t self:process { getcap setcap }; allow virt_bridgehelper_t self:capability { net_admin setgid setpcap setuid }; allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; allow virt_bridgehelper_t self:tun_socket create_socket_perms; diff --git a/policy/modules/services/xfs.te b/policy/modules/services/xfs.te index dc19679c6a..15921821ba 100644 --- a/policy/modules/services/xfs.te +++ b/policy/modules/services/xfs.te @@ -25,7 +25,7 @@ files_tmp_file(xfs_tmp_t) allow xfs_t self:capability { dac_override setgid setuid }; dontaudit xfs_t self:capability sys_tty_config; -allow xfs_t self:process { signal_perms setpgid }; +allow xfs_t self:process { setpgid signal_perms }; allow xfs_t self:unix_stream_socket { accept listen }; allow xfs_t self:tcp_socket { accept listen }; diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if index c4e64d4ea2..b00b013e11 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -257,7 +257,7 @@ interface(`xserver_ro_session',` # Xserver read/write client shm allow xserver_t $1:fd use; allow xserver_t $1:shm rw_shm_perms; - allow xserver_t $2:file { rw_file_perms map }; + allow xserver_t $2:file { map rw_file_perms }; # Connect to xserver allow $1 xserver_t:unix_stream_socket connectto; @@ -319,7 +319,7 @@ interface(`xserver_rw_session',` # interface(`xserver_non_drawing_client',` gen_require(` - class x_drawable { getattr get_property }; + class x_drawable { get_property getattr }; class x_extension { query use }; class x_gc { create setattr }; class x_property read; @@ -334,7 +334,7 @@ interface(`xserver_non_drawing_client',` allow $1 xserver_t:unix_stream_socket connectto; allow $1 xextension_t:x_extension { query use }; - allow $1 root_xdrawable_t:x_drawable { getattr get_property }; + allow $1 root_xdrawable_t:x_drawable { get_property getattr }; allow $1 xproperty_t:x_property read; ') @@ -1639,7 +1639,7 @@ interface(`xserver_manage_core_devices',` class x_keyboard all_x_keyboard_perms; ') - allow $1 xserver_t:{ x_device x_pointer x_keyboard } { getattr setattr use read write getfocus setfocus bell force_cursor freeze grab manage list_property get_property set_property add remove create destroy }; + allow $1 xserver_t:{ x_device x_pointer x_keyboard } { add bell create destroy force_cursor freeze get_property getattr getfocus grab list_property manage read remove set_property setattr setfocus use write }; ') ######################################## @@ -1679,7 +1679,7 @@ interface(`xserver_rw_xdm_keys',` type xdm_t; ') - allow $1 xdm_t:key { read write setattr }; + allow $1 xdm_t:key { read setattr write }; ') ######################################## diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te index 13ffacabe9..853e2ffb94 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -332,7 +332,7 @@ optional_policy(` allow xdm_t self:capability { chown dac_override dac_read_search fowner fsetid ipc_owner kill mknod net_bind_service setgid setuid sys_nice sys_rawio sys_resource sys_tty_config }; dontaudit xdm_t self:capability sys_admin; -allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms }; +allow xdm_t self:process { getsched setexec setpgid setrlimit setsched signal_perms }; allow xdm_t self:fifo_file rw_fifo_file_perms; allow xdm_t self:shm create_shm_perms; allow xdm_t self:sem create_sem_perms; @@ -340,7 +340,7 @@ allow xdm_t self:unix_stream_socket { connectto create_stream_socket_perms }; allow xdm_t self:unix_dgram_socket create_socket_perms; allow xdm_t self:socket create_socket_perms; allow xdm_t self:appletalk_socket create_socket_perms; -allow xdm_t self:key { search link write }; +allow xdm_t self:key { link search write }; allow xdm_t xconsole_device_t:fifo_file { read_fifo_file_perms setattr_fifo_file_perms }; @@ -388,12 +388,12 @@ allow xdm_t xserver_t:process signal; allow xdm_t xserver_t:unix_stream_socket connectto; allow xdm_t xserver_tmp_t:sock_file rw_sock_file_perms; -allow xdm_t xserver_tmp_t:dir { setattr list_dir_perms }; +allow xdm_t xserver_tmp_t:dir { list_dir_perms setattr }; # transition to the xdm xserver domtrans_pattern(xdm_t, xserver_exec_t, xserver_t) allow xserver_t xdm_t:process signal; -allow xdm_t xserver_t:process { noatsecure siginh rlimitinh signal sigkill }; +allow xdm_t xserver_t:process { noatsecure rlimitinh siginh sigkill signal }; allow xdm_t xserver_t:shm rw_shm_perms; @@ -673,16 +673,16 @@ allow xserver_t input_xevent_t:x_event send; allow xserver_t self:capability { dac_override fowner fsetid ipc_owner mknod net_bind_service setgid setuid sys_admin sys_nice sys_rawio sys_tty_config }; dontaudit xserver_t self:capability chown; allow xserver_t self:capability2 wake_alarm; -allow xserver_t self:process { fork transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; +allow xserver_t self:process { dyntransition fork getattr getcap getpgid getrlimit getsched getsession noatsecure rlimitinh setcap setkeycreate setpgid setsched setsockcreate share siginh signal_perms transition }; allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; allow xserver_t self:sock_file read_sock_file_perms; allow xserver_t self:shm create_shm_perms; allow xserver_t self:sem create_sem_perms; allow xserver_t self:msgq create_msgq_perms; -allow xserver_t self:msg { send receive }; +allow xserver_t self:msg { receive send }; allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; -allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow xserver_t self:unix_stream_socket { connectto create_stream_socket_perms }; allow xserver_t self:netlink_kobject_uevent_socket create_socket_perms; # this file should be accessed only by xserver_t (ro) and xdm_t (rw) @@ -832,21 +832,21 @@ tunable_policy(`!xserver_object_manager',` # should be xserver_unconfined(xserver_t), # but typeattribute doesnt work in conditionals - allow xserver_t self:x_server { getattr setattr record debug grab manage }; - allow xserver_t { x_domain root_xdrawable_t }:x_drawable { create destroy read write blend getattr setattr list_child add_child remove_child list_property get_property set_property manage override show hide send receive }; - allow xserver_t self:x_screen { getattr setattr hide_cursor show_cursor saver_getattr saver_setattr saver_hide saver_show }; + allow xserver_t self:x_server { debug getattr grab manage record setattr }; + allow xserver_t { x_domain root_xdrawable_t }:x_drawable { add_child blend create destroy get_property getattr hide list_child list_property manage override read receive remove_child send set_property setattr show write }; + allow xserver_t self:x_screen { getattr hide_cursor saver_getattr saver_hide saver_setattr saver_show setattr show_cursor }; allow xserver_t x_domain:x_gc { create destroy getattr setattr use }; - allow xserver_t { x_domain root_xcolormap_t }:x_colormap { create destroy read write getattr add_color remove_color install uninstall use }; - allow xserver_t xproperty_type:x_property { create destroy read write append getattr setattr }; - allow xserver_t xselection_type:x_selection { read write getattr setattr }; - allow xserver_t x_domain:x_cursor { create destroy read write getattr setattr use }; - allow xserver_t x_domain:x_client { destroy getattr setattr manage }; - allow xserver_t { x_domain xserver_t }:x_device { getattr setattr use read write getfocus setfocus bell force_cursor freeze grab manage list_property get_property set_property add remove create destroy }; - allow xserver_t { x_domain xserver_t }:x_pointer { getattr setattr use read write getfocus setfocus bell force_cursor freeze grab manage list_property get_property set_property add remove create destroy }; - allow xserver_t { x_domain xserver_t }:x_keyboard { getattr setattr use read write getfocus setfocus bell force_cursor freeze grab manage list_property get_property set_property add remove create destroy }; + allow xserver_t { x_domain root_xcolormap_t }:x_colormap { add_color create destroy getattr install read remove_color uninstall use write }; + allow xserver_t xproperty_type:x_property { append create destroy getattr read setattr write }; + allow xserver_t xselection_type:x_selection { getattr read setattr write }; + allow xserver_t x_domain:x_cursor { create destroy getattr read setattr use write }; + allow xserver_t x_domain:x_client { destroy getattr manage setattr }; + allow xserver_t { x_domain xserver_t }:x_device { add bell create destroy force_cursor freeze get_property getattr getfocus grab list_property manage read remove set_property setattr setfocus use write }; + allow xserver_t { x_domain xserver_t }:x_pointer { add bell create destroy force_cursor freeze get_property getattr getfocus grab list_property manage read remove set_property setattr setfocus use write }; + allow xserver_t { x_domain xserver_t }:x_keyboard { add bell create destroy force_cursor freeze get_property getattr getfocus grab list_property manage read remove set_property setattr setfocus use write }; allow xserver_t xextension_type:x_extension { query use }; allow xserver_t { x_domain xserver_t }:x_resource { read write }; - allow xserver_t xevent_type:{ x_event x_synthetic_event } { send receive }; + allow xserver_t xevent_type:{ x_event x_synthetic_event } { receive send }; ') optional_policy(` @@ -881,7 +881,7 @@ optional_policy(` # cjp: when xdm is configurable via tunable these # rules will be enabled only when xdm is enabled -allow xserver_t xdm_t:process { signal getpgid }; +allow xserver_t xdm_t:process { getpgid signal }; allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open @@ -944,7 +944,7 @@ allow x_domain xserver_t:x_server grab; # can read and write server-owned generic resources allow x_domain xserver_t:x_resource { read write }; # can mess with own clients -allow x_domain self:x_client { getattr manage destroy }; +allow x_domain self:x_client { destroy getattr manage }; # X Protocol Extensions allow x_domain xextension_t:x_extension { query use }; @@ -952,40 +952,40 @@ allow x_domain security_xextension_t:x_extension { query use }; # X Properties # can change properties of root window -allow x_domain root_xdrawable_t:x_drawable { list_property get_property set_property }; +allow x_domain root_xdrawable_t:x_drawable { get_property list_property set_property }; # can change properties of my own windows -allow x_domain self:x_drawable { list_property get_property set_property }; +allow x_domain self:x_drawable { get_property list_property set_property }; # can read and write cut buffers -allow x_domain clipboard_xproperty_t:x_property { create read write append }; +allow x_domain clipboard_xproperty_t:x_property { append create read write }; # can read security labels allow x_domain seclabel_xproperty_t:x_property { getattr read }; # can change all other properties -allow x_domain xproperty_t:x_property { getattr create read write append destroy }; +allow x_domain xproperty_t:x_property { append create destroy getattr read write }; # X Windows # operations allowed on root windows -allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; +allow x_domain root_xdrawable_t:x_drawable { add_child getattr hide list_child receive remove_child send setattr show }; # operations allowed on my windows -allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; +allow x_domain self:x_drawable { add_child create destroy getattr hide list_child manage read receive remove_child send setattr show write }; allow x_domain self:x_drawable { blend }; # operations allowed on all windows -allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; +allow x_domain x_domain:x_drawable { get_property getattr remove_child set_property }; # X Colormaps # can use the default colormap -allow x_domain root_xcolormap_t:x_colormap { read use add_color remove_color install uninstall }; +allow x_domain root_xcolormap_t:x_colormap { add_color install read remove_color uninstall use }; # can create and use colormaps -allow x_domain self:x_colormap { create destroy read write getattr add_color remove_color install uninstall use }; +allow x_domain self:x_colormap { add_color create destroy getattr install read remove_color uninstall use write }; # X Devices # operations allowed on my own devices -allow x_domain self:{ x_device x_pointer x_keyboard } { getattr setattr use read write getfocus setfocus bell force_cursor freeze grab manage list_property get_property set_property add remove create destroy }; +allow x_domain self:{ x_device x_pointer x_keyboard } { add bell create destroy force_cursor freeze get_property getattr getfocus grab list_property manage read remove set_property setattr setfocus use write }; # operations allowed on generic devices -allow x_domain xserver_t:x_device { use getattr setattr getfocus setfocus bell grab freeze force_cursor }; +allow x_domain xserver_t:x_device { bell force_cursor freeze getattr getfocus grab setattr setfocus use }; # operations allowed on core keyboard -allow x_domain xserver_t:x_keyboard { use getattr setattr getfocus setfocus bell grab }; +allow x_domain xserver_t:x_keyboard { bell getattr getfocus grab setattr setfocus use }; # operations allowed on core pointer -allow x_domain xserver_t:x_pointer { read use getattr setattr getfocus setfocus bell grab freeze force_cursor }; +allow x_domain xserver_t:x_pointer { bell force_cursor freeze getattr getfocus grab read setattr setfocus use }; # all devices can generate input events allow x_domain root_xdrawable_t:x_drawable send; @@ -1007,13 +1007,13 @@ allow x_domain root_input_xevent_t:x_event receive; # X Selections # can use the clipboard -allow x_domain clipboard_xselection_t:x_selection { getattr setattr read }; +allow x_domain clipboard_xselection_t:x_selection { getattr read setattr }; # can use default selections -allow x_domain xselection_t:x_selection { getattr setattr read }; +allow x_domain xselection_t:x_selection { getattr read setattr }; # Other X Objects # can create and use cursors -allow x_domain self:x_cursor { create destroy read write getattr setattr use }; +allow x_domain self:x_cursor { create destroy getattr read setattr use write }; # can create and use graphics contexts allow x_domain self:x_gc { create destroy getattr setattr use }; # can read and write own objects @@ -1030,38 +1030,38 @@ tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals - allow x_domain xserver_t:x_server { getattr setattr record debug grab manage }; - allow x_domain xdrawable_type:x_drawable { create destroy read write blend getattr setattr list_child add_child remove_child list_property get_property set_property manage override show hide send receive }; - allow x_domain xserver_t:x_screen { getattr setattr hide_cursor show_cursor saver_getattr saver_setattr saver_hide saver_show }; + allow x_domain xserver_t:x_server { debug getattr grab manage record setattr }; + allow x_domain xdrawable_type:x_drawable { add_child blend create destroy get_property getattr hide list_child list_property manage override read receive remove_child send set_property setattr show write }; + allow x_domain xserver_t:x_screen { getattr hide_cursor saver_getattr saver_hide saver_setattr saver_show setattr show_cursor }; allow x_domain x_domain:x_gc { create destroy getattr setattr use }; - allow x_domain xcolormap_type:x_colormap { create destroy read write getattr add_color remove_color install uninstall use }; - allow x_domain xproperty_type:x_property { create destroy read write append getattr setattr }; - allow x_domain xselection_type:x_selection { read write getattr setattr }; - allow x_domain x_domain:x_cursor { create destroy read write getattr setattr use }; - allow x_domain x_domain:x_client { destroy getattr setattr manage }; - allow x_domain { x_domain xserver_t }:x_device { getattr setattr use read write getfocus setfocus bell force_cursor freeze grab manage list_property get_property set_property add remove create destroy }; - allow x_domain { x_domain xserver_t }:x_pointer { getattr setattr use read write getfocus setfocus bell force_cursor freeze grab manage list_property get_property set_property add remove create destroy }; - allow x_domain { x_domain xserver_t }:x_keyboard { getattr setattr use read write getfocus setfocus bell force_cursor freeze grab manage list_property get_property set_property add remove create destroy }; + allow x_domain xcolormap_type:x_colormap { add_color create destroy getattr install read remove_color uninstall use write }; + allow x_domain xproperty_type:x_property { append create destroy getattr read setattr write }; + allow x_domain xselection_type:x_selection { getattr read setattr write }; + allow x_domain x_domain:x_cursor { create destroy getattr read setattr use write }; + allow x_domain x_domain:x_client { destroy getattr manage setattr }; + allow x_domain { x_domain xserver_t }:x_device { add bell create destroy force_cursor freeze get_property getattr getfocus grab list_property manage read remove set_property setattr setfocus use write }; + allow x_domain { x_domain xserver_t }:x_pointer { add bell create destroy force_cursor freeze get_property getattr getfocus grab list_property manage read remove set_property setattr setfocus use write }; + allow x_domain { x_domain xserver_t }:x_keyboard { add bell create destroy force_cursor freeze get_property getattr getfocus grab list_property manage read remove set_property setattr setfocus use write }; allow x_domain xextension_type:x_extension { query use }; allow x_domain { x_domain xserver_t }:x_resource { read write }; - allow x_domain xevent_type:{ x_event x_synthetic_event } { send receive }; + allow x_domain xevent_type:{ x_event x_synthetic_event } { receive send }; ') -allow xserver_unconfined_type xserver_t:x_server { getattr setattr record debug grab manage }; -allow xserver_unconfined_type xdrawable_type:x_drawable { create destroy read write blend getattr setattr list_child add_child remove_child list_property get_property set_property manage override show hide send receive }; -allow xserver_unconfined_type xserver_t:x_screen { getattr setattr hide_cursor show_cursor saver_getattr saver_setattr saver_hide saver_show }; +allow xserver_unconfined_type xserver_t:x_server { debug getattr grab manage record setattr }; +allow xserver_unconfined_type xdrawable_type:x_drawable { add_child blend create destroy get_property getattr hide list_child list_property manage override read receive remove_child send set_property setattr show write }; +allow xserver_unconfined_type xserver_t:x_screen { getattr hide_cursor saver_getattr saver_hide saver_setattr saver_show setattr show_cursor }; allow xserver_unconfined_type x_domain:x_gc { create destroy getattr setattr use }; -allow xserver_unconfined_type xcolormap_type:x_colormap { create destroy read write getattr add_color remove_color install uninstall use }; -allow xserver_unconfined_type xproperty_type:x_property { create destroy read write append getattr setattr }; -allow xserver_unconfined_type xselection_type:x_selection { read write getattr setattr }; -allow xserver_unconfined_type x_domain:x_cursor { create destroy read write getattr setattr use }; -allow xserver_unconfined_type x_domain:x_client { destroy getattr setattr manage }; -allow xserver_unconfined_type { x_domain xserver_t }:x_device { getattr setattr use read write getfocus setfocus bell force_cursor freeze grab manage list_property get_property set_property add remove create destroy }; -allow xserver_unconfined_type { x_domain xserver_t }:x_pointer { getattr setattr use read write getfocus setfocus bell force_cursor freeze grab manage list_property get_property set_property add remove create destroy }; -allow xserver_unconfined_type { x_domain xserver_t }:x_keyboard { getattr setattr use read write getfocus setfocus bell force_cursor freeze grab manage list_property get_property set_property add remove create destroy }; +allow xserver_unconfined_type xcolormap_type:x_colormap { add_color create destroy getattr install read remove_color uninstall use write }; +allow xserver_unconfined_type xproperty_type:x_property { append create destroy getattr read setattr write }; +allow xserver_unconfined_type xselection_type:x_selection { getattr read setattr write }; +allow xserver_unconfined_type x_domain:x_cursor { create destroy getattr read setattr use write }; +allow xserver_unconfined_type x_domain:x_client { destroy getattr manage setattr }; +allow xserver_unconfined_type { x_domain xserver_t }:x_device { add bell create destroy force_cursor freeze get_property getattr getfocus grab list_property manage read remove set_property setattr setfocus use write }; +allow xserver_unconfined_type { x_domain xserver_t }:x_pointer { add bell create destroy force_cursor freeze get_property getattr getfocus grab list_property manage read remove set_property setattr setfocus use write }; +allow xserver_unconfined_type { x_domain xserver_t }:x_keyboard { add bell create destroy force_cursor freeze get_property getattr getfocus grab list_property manage read remove set_property setattr setfocus use write }; allow xserver_unconfined_type xextension_type:x_extension { query use }; allow xserver_unconfined_type { x_domain xserver_t }:x_resource { read write }; -allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } { send receive }; +allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } { receive send }; # for sddm to use pam for greeter gen_user(xdm,, xdm_r, s0, s0) diff --git a/policy/modules/services/zabbix.te b/policy/modules/services/zabbix.te index 9ef23b8daa..ac38d3078f 100644 --- a/policy/modules/services/zabbix.te +++ b/policy/modules/services/zabbix.te @@ -128,7 +128,7 @@ optional_policy(` # allow zabbix_agent_t self:capability { setgid setuid }; -allow zabbix_agent_t self:process { setsched getsched signal setrlimit }; +allow zabbix_agent_t self:process { getsched setrlimit setsched signal }; allow zabbix_agent_t self:fifo_file rw_fifo_file_perms; allow zabbix_agent_t self:sem create_sem_perms; allow zabbix_agent_t self:shm create_shm_perms; diff --git a/policy/modules/services/zebra.te b/policy/modules/services/zebra.te index 933e601736..c46010cd46 100644 --- a/policy/modules/services/zebra.te +++ b/policy/modules/services/zebra.te @@ -39,7 +39,7 @@ files_tmp_file(zebra_tmp_t) allow zebra_t self:capability { net_admin net_raw setgid setuid }; dontaudit zebra_t self:capability sys_tty_config; -allow zebra_t self:process { signal_perms getcap setcap }; +allow zebra_t self:process { getcap setcap signal_perms }; allow zebra_t self:fifo_file rw_fifo_file_perms; allow zebra_t self:unix_stream_socket { accept connectto listen }; allow zebra_t self:netlink_route_socket create_netlink_socket_perms; diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if index 62e0e05859..fca13171e2 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -1030,7 +1030,7 @@ interface(`auth_rw_lastlog',` ') logging_search_logs($1) - allow $1 lastlog_t:file { rw_file_perms lock setattr }; + allow $1 lastlog_t:file { lock rw_file_perms setattr }; ') ######################################## @@ -1676,7 +1676,7 @@ interface(`auth_write_login_records',` type wtmp_t; ') - allow $1 wtmp_t:file { write_file_perms lock }; + allow $1 wtmp_t:file { lock write_file_perms }; ') ######################################## diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te index 5d675bc155..f33a8095f3 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -178,7 +178,7 @@ optional_policy(` # PAM local policy # -allow pam_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; +allow pam_t self:process { dyntransition getattr getcap getpgid getrlimit getsched getsession noatsecure rlimitinh setcap setkeycreate setpgid setsched setsockcreate share siginh signal_perms transition }; dontaudit pam_t self:capability sys_tty_config; allow pam_t self:fd use; @@ -190,7 +190,7 @@ allow pam_t self:unix_stream_socket connectto; allow pam_t self:shm create_shm_perms; allow pam_t self:sem create_sem_perms; allow pam_t self:msgq create_msgq_perms; -allow pam_t self:msg { send receive }; +allow pam_t self:msg { receive send }; delete_files_pattern(pam_t, pam_runtime_t, pam_runtime_t) read_files_pattern(pam_t, pam_runtime_t, pam_runtime_t) @@ -270,7 +270,7 @@ optional_policy(` allow pam_console_t self:capability { chown fowner fsetid }; dontaudit pam_console_t self:capability sys_tty_config; -allow pam_console_t self:process { sigchld sigkill sigstop signull signal }; +allow pam_console_t self:process { sigchld sigkill signal signull sigstop }; # for /var/run/console.lock checking read_files_pattern(pam_console_t, pam_var_console_t, pam_var_console_t) diff --git a/policy/modules/system/daemontools.te b/policy/modules/system/daemontools.te index 203da4303e..3e10c1e357 100644 --- a/policy/modules/system/daemontools.te +++ b/policy/modules/system/daemontools.te @@ -105,7 +105,7 @@ allow svc_start_t svc_svc_t:file manage_file_perms; allow svc_start_t svc_svc_t:lnk_file manage_lnk_file_perms; allow svc_start_t svc_multilog_t:process signal; -allow svc_start_t svc_run_t:process { signal setrlimit }; +allow svc_start_t svc_run_t:process { setrlimit signal }; can_exec(svc_start_t, svc_start_exec_t) diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te index d5e090c285..0866e14b7d 100644 --- a/policy/modules/system/fstools.te +++ b/policy/modules/system/fstools.te @@ -35,7 +35,7 @@ ifdef(`distro_gentoo',` # ipc_lock is for losetup allow fsadm_t self:capability { dac_override dac_read_search ipc_lock sys_admin sys_rawio sys_resource sys_tty_config }; dontaudit fsadm_t self:capability net_admin; -allow fsadm_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition execstack setkeycreate setsockcreate getrlimit }; +allow fsadm_t self:process { dyntransition execstack getattr getcap getpgid getrlimit getsched getsession noatsecure rlimitinh setcap setkeycreate setpgid setsched setsockcreate share siginh signal_perms transition }; allow fsadm_t self:fd use; allow fsadm_t self:fifo_file rw_fifo_file_perms; allow fsadm_t self:sock_file read_sock_file_perms; @@ -46,7 +46,7 @@ allow fsadm_t self:unix_stream_socket connectto; allow fsadm_t self:shm create_shm_perms; allow fsadm_t self:sem create_sem_perms; allow fsadm_t self:msgq create_msgq_perms; -allow fsadm_t self:msg { send receive }; +allow fsadm_t self:msg { receive send }; can_exec(fsadm_t, fsadm_exec_t) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index b3f92eec7c..b2e3d639ea 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -146,7 +146,7 @@ interface(`init_script_domain',` type init_t; ') - allow $1 init_t:unix_stream_socket { getattr read write ioctl }; + allow $1 init_t:unix_stream_socket { getattr ioctl read write }; allow init_t $1:process2 { nnp_transition nosuid_transition }; ') @@ -187,7 +187,7 @@ interface(`init_domain',` type init_tmpfs_t; ') - allow $1 init_t:unix_stream_socket { getattr read write ioctl }; + allow $1 init_t:unix_stream_socket { getattr ioctl read write }; allow init_t $1:process siginh; allow init_t $1:process2 { nnp_transition nosuid_transition }; @@ -283,7 +283,7 @@ interface(`init_spec_daemon_domain',` type init_tmpfs_t; ') - allow $1 init_t:unix_stream_socket { getattr read write ioctl }; + allow $1 init_t:unix_stream_socket { getattr ioctl read write }; allow init_t $1:process2 { nnp_transition nosuid_transition }; @@ -755,10 +755,10 @@ interface(`init_pgm_spec_user_daemon_domain',` spec_domtrans_pattern(init_t, init_exec_t, $1) - allow init_t $1:process { setsched rlimitinh noatsecure }; + allow init_t $1:process { noatsecure rlimitinh setsched }; ifdef(`init_systemd',` - allow $1 init_t:unix_stream_socket { getattr read write ioctl }; + allow $1 init_t:unix_stream_socket { getattr ioctl read write }; ') ') @@ -1141,7 +1141,7 @@ interface(`init_rw_inherited_stream_socket',` type init_t; ') - allow $1 init_t:unix_stream_socket { getattr read write ioctl }; + allow $1 init_t:unix_stream_socket { getattr ioctl read write }; ') ######################################## @@ -2054,10 +2054,10 @@ interface(`init_kill_scripts',` interface(`init_manage_script_service',` gen_require(` type initrc_exec_t; - class service { status start stop }; + class service { start status stop }; ') - allow $1 initrc_exec_t:service { start stop status }; + allow $1 initrc_exec_t:service { start status stop }; ') ######################################## @@ -2796,7 +2796,7 @@ interface(`init_dontaudit_use_script_ptys',` type initrc_devpts_t; ') - dontaudit $1 initrc_devpts_t:chr_file { rw_term_perms lock append }; + dontaudit $1 initrc_devpts_t:chr_file { append lock rw_term_perms }; ') ######################################## @@ -3000,7 +3000,7 @@ interface(`init_dontaudit_write_utmp',` type initrc_runtime_t; ') - dontaudit $1 initrc_runtime_t:file { write lock }; + dontaudit $1 initrc_runtime_t:file { lock write }; ') ######################################## diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 4b880e1600..9a9a5fe724 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -156,8 +156,8 @@ ifdef(`enable_mls',` # # Use capabilities. old rule: -allow init_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap }; -allow init_t self:capability2 { wake_alarm block_suspend }; +allow init_t self:capability { audit_control audit_write chown dac_override dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable mknod net_admin net_bind_service net_broadcast net_raw setfcap setgid setpcap setuid sys_admin sys_boot sys_chroot sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config }; +allow init_t self:capability2 { block_suspend wake_alarm }; # is ~sys_module really needed? observed: # sys_boot # sys_tty_config @@ -259,21 +259,21 @@ miscfiles_read_localization(init_t) ifdef(`init_systemd',` gen_require(` - class service { status start stop }; - class system { status reboot halt reload }; + class service { start status stop }; + class system { halt reboot reload status }; ') # handle instances where an old labeled init script is encountered. typeattribute init_t init_run_all_scripts_domain; allow init_t self:unix_dgram_socket { create_socket_perms sendto }; - allow init_t self:process { setsockcreate setfscreate setrlimit }; - allow init_t self:process { getcap setcap getsched setsched }; - allow init_t self:unix_stream_socket { create_stream_socket_perms connectto }; - allow init_t self:netlink_audit_socket { nlmsg_relay create_socket_perms }; + allow init_t self:process { setfscreate setrlimit setsockcreate }; + allow init_t self:process { getcap getsched setcap setsched }; + allow init_t self:unix_stream_socket { connectto create_stream_socket_perms }; + allow init_t self:netlink_audit_socket { create_socket_perms nlmsg_relay }; allow init_t self:netlink_netfilter_socket create_socket_perms; allow init_t self:netlink_selinux_socket create_socket_perms; - allow init_t self:system { status reboot halt reload }; + allow init_t self:system { halt reboot reload status }; # Until systemd is fixed allow init_t self:udp_socket create_socket_perms; allow init_t self:netlink_route_socket create_netlink_socket_perms; @@ -286,7 +286,7 @@ ifdef(`init_systemd',` # manage the capabilities granted to namespace processes allow init_t self:cap_userns { audit_write chown dac_override dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable mknod net_admin net_bind_service net_raw setfcap setgid setpcap setuid sys_admin sys_boot sys_chroot sys_module sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config }; - allow init_t self:cap2_userns { audit_read bpf block_suspend mac_admin mac_override perfmon syslog wake_alarm }; + allow init_t self:cap2_userns { audit_read block_suspend bpf mac_admin mac_override perfmon syslog wake_alarm }; allow init_t init_mountpoint_type:dir_file_class_set { getattr mounton }; @@ -302,7 +302,7 @@ ifdef(`init_systemd',` allow init_t systemprocess:unix_dgram_socket create_socket_perms; # setexec and setkeycreate for systemd --user - allow init_t self:process { getcap getsched setsched setpgid setfscreate setsockcreate setexec setkeycreate setcap setrlimit }; + allow init_t self:process { getcap getsched setcap setexec setfscreate setkeycreate setpgid setrlimit setsched setsockcreate }; allow init_t self:capability2 { audit_read block_suspend bpf perfmon }; allow init_t self:netlink_kobject_uevent_socket create_socket_perms; allow init_t self:unix_dgram_socket lock; @@ -315,12 +315,12 @@ ifdef(`init_systemd',` allow init_t daemon:udp_socket create_socket_perms; allow daemon init_t:unix_dgram_socket sendto; - allow init_run_all_scripts_domain systemdunit:service { status start stop }; + allow init_run_all_scripts_domain systemdunit:service { start status stop }; allow systemprocess init_t:unix_dgram_socket sendto; - allow systemprocess init_t:unix_stream_socket { append write read getattr ioctl }; + allow systemprocess init_t:unix_stream_socket { append getattr ioctl read write }; - allow daemon init_t:unix_stream_socket { append write read getattr ioctl }; + allow daemon init_t:unix_stream_socket { append getattr ioctl read write }; # systemd must be able to renice processes in other # slices when containers are started and stopped @@ -568,7 +568,7 @@ ifdef(`init_systemd',` userdom_relabel_user_runtime_root_dirs(init_t) tunable_policy(`init_create_mountpoints',` - allow init_t init_mountpoint_type:dir { create_dir_perms add_entry_dir_perms }; + allow init_t init_mountpoint_type:dir { add_entry_dir_perms create_dir_perms }; allow init_t init_mountpoint_type:fifo_file create_fifo_file_perms; allow init_t init_mountpoint_type:sock_file create_sock_file_perms; allow init_t init_mountpoint_type:lnk_file create_lnk_file_perms; @@ -716,9 +716,9 @@ optional_policy(` # Init script local policy # -allow initrc_t self:process { getcap getpgid setsched setpgid setrlimit getsched }; -allow initrc_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_rawio sys_chroot sys_ptrace sys_pacct sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap }; -allow initrc_t self:capability2 { wake_alarm block_suspend }; +allow initrc_t self:process { getcap getpgid getsched setpgid setrlimit setsched }; +allow initrc_t self:capability { audit_control audit_write chown dac_override dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable mknod net_admin net_bind_service net_broadcast net_raw setfcap setgid setpcap setuid sys_boot sys_chroot sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config }; +allow initrc_t self:capability2 { block_suspend wake_alarm }; dontaudit initrc_t self:capability sys_module; # sysctl is triggering this allow initrc_t self:netlink_kobject_uevent_socket create_socket_perms; # needed by rdma-ndd allow initrc_t self:passwd rootok; @@ -726,7 +726,7 @@ allow initrc_t self:key manage_key_perms; # Allow IPC with self allow initrc_t self:unix_dgram_socket create_socket_perms; -allow initrc_t self:unix_stream_socket { create listen accept ioctl read getattr write setattr append bind connect getopt setopt shutdown connectto }; +allow initrc_t self:unix_stream_socket { accept append bind connect connectto create getattr getopt ioctl listen read setattr setopt shutdown write }; allow initrc_t self:tcp_socket create_stream_socket_perms; allow initrc_t self:udp_socket create_socket_perms; allow initrc_t self:fifo_file rw_fifo_file_perms; @@ -1125,10 +1125,10 @@ ifdef(`enable_mls',` ifdef(`init_systemd',` gen_require(` - class service { stop start status reload }; - class system { start stop status reboot halt reload }; + class service { reload start status stop }; + class system { halt reboot reload start status stop }; ') - allow initrc_t init_t:system { start stop status reboot halt reload }; + allow initrc_t init_t:system { halt reboot reload start status stop }; manage_files_pattern(initrc_t, initrc_lock_t, initrc_lock_t) files_lock_filetrans(initrc_t, initrc_lock_t, file) @@ -1149,7 +1149,7 @@ ifdef(`init_systemd',` manage_files_pattern(initrc_t, systemdunit, systemdunit) manage_lnk_files_pattern(initrc_t, systemdunit, systemdunit) allow initrc_t systemdunit:service reload; - allow initrc_t init_script_file_type:service { stop start status reload }; + allow initrc_t init_script_file_type:service { reload start status stop }; # Access to notify socket for services with Type=notify kernel_dgram_send(initrc_t) @@ -1563,7 +1563,7 @@ init_use_script_ptys(daemon) ifdef(`init_systemd',` # Until systemd is fixed - allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write }; + allow daemon init_t:socket_class_set { getattr getopt ioctl read setopt write }; fs_search_cgroup_dirs(daemon) diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te index 5956c85938..e9daccf103 100644 --- a/policy/modules/system/ipsec.te +++ b/policy/modules/system/ipsec.te @@ -82,7 +82,7 @@ role system_r types setkey_t; allow ipsec_t self:capability { chown dac_override dac_read_search net_admin setgid setpcap setuid sys_nice }; dontaudit ipsec_t self:capability { sys_ptrace sys_tty_config }; -allow ipsec_t self:process { getcap setcap getsched signal setsched }; +allow ipsec_t self:process { getcap getsched setcap setsched signal }; allow ipsec_t self:tcp_socket create_stream_socket_perms; allow ipsec_t self:udp_socket create_socket_perms; allow ipsec_t self:key_socket create_socket_perms; @@ -235,8 +235,8 @@ allow ipsec_mgmt_t ipsec_runtime_t:sock_file manage_sock_file_perms; files_runtime_filetrans(ipsec_mgmt_t, ipsec_runtime_t, sock_file) # logger, running in ipsec_mgmt_t needs to use sockets -allow ipsec_mgmt_t self:unix_dgram_socket { create connect write }; -allow ipsec_mgmt_t ipsec_t:unix_dgram_socket { create connect write }; +allow ipsec_mgmt_t self:unix_dgram_socket { connect create write }; +allow ipsec_mgmt_t ipsec_t:unix_dgram_socket { connect create write }; # whack needs to connect to pluto stream_connect_pattern(ipsec_mgmt_t, ipsec_runtime_t, ipsec_runtime_t, ipsec_t) diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te index aa657ee031..36970cd03a 100644 --- a/policy/modules/system/iptables.te +++ b/policy/modules/system/iptables.te @@ -37,7 +37,7 @@ allow iptables_t self:capability { dac_override dac_read_search net_admin net_ra dontaudit iptables_t self:capability sys_tty_config; allow iptables_t self:cap_userns { net_admin net_raw }; allow iptables_t self:fifo_file rw_fifo_file_perms; -allow iptables_t self:process { sigchld sigkill sigstop signull signal }; +allow iptables_t self:process { sigchld sigkill signal signull sigstop }; allow iptables_t self:netlink_socket create_socket_perms; allow iptables_t self:netlink_netfilter_socket create_socket_perms; allow iptables_t self:rawip_socket create_socket_perms; diff --git a/policy/modules/system/iscsi.te b/policy/modules/system/iscsi.te index cf70f6d3fb..7f60f2878e 100644 --- a/policy/modules/system/iscsi.te +++ b/policy/modules/system/iscsi.te @@ -44,7 +44,7 @@ allow iscsid_t self:netlink_iscsi_socket create_socket_perms; allow iscsid_t self:netlink_socket create_socket_perms; allow iscsid_t self:netlink_kobject_uevent_socket create_socket_perms; allow iscsid_t self:netlink_route_socket nlmsg_write; -allow iscsid_t self:tcp_socket { listen accept }; +allow iscsid_t self:tcp_socket { accept listen }; manage_dirs_pattern(iscsid_t, iscsi_lock_t, iscsi_lock_t) manage_files_pattern(iscsid_t, iscsi_lock_t, iscsi_lock_t) diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te index 8330be8a9f..4ba131d292 100644 --- a/policy/modules/system/locallogin.te +++ b/policy/modules/system/locallogin.te @@ -32,7 +32,7 @@ role system_r types sulogin_t; # Local login local policy # -allow local_login_t self:capability { chown dac_read_search dac_override fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config }; +allow local_login_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config }; dontaudit local_login_t self:capability net_admin; allow local_login_t self:process { getcap setcap setexec setrlimit setsched }; allow local_login_t self:fd use; @@ -45,8 +45,8 @@ allow local_login_t self:unix_stream_socket connectto; allow local_login_t self:shm create_shm_perms; allow local_login_t self:sem create_sem_perms; allow local_login_t self:msgq create_msgq_perms; -allow local_login_t self:msg { send receive }; -allow local_login_t self:key { search write link }; +allow local_login_t self:msg { receive send }; +allow local_login_t self:key { link search write }; allow local_login_t local_login_lock_t:file manage_file_perms; files_lock_filetrans(local_login_t, local_login_lock_t, file) @@ -244,7 +244,7 @@ allow sulogin_t self:unix_stream_socket connectto; allow sulogin_t self:shm create_shm_perms; allow sulogin_t self:sem create_sem_perms; allow sulogin_t self:msgq create_msgq_perms; -allow sulogin_t self:msg { send receive }; +allow sulogin_t self:msg { receive send }; kernel_read_system_state(sulogin_t) kernel_stream_connect(sulogin_t) diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if index 49028a0cb7..7487a70536 100644 --- a/policy/modules/system/logging.if +++ b/policy/modules/system/logging.if @@ -61,7 +61,7 @@ interface(`logging_log_file',` # interface(`logging_send_audit_msgs',` allow $1 self:capability audit_write; - allow $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_relay }; + allow $1 self:netlink_audit_socket { nlmsg_relay r_netlink_socket_perms }; ') ####################################### @@ -76,7 +76,7 @@ interface(`logging_send_audit_msgs',` # interface(`logging_dontaudit_send_audit_msgs',` dontaudit $1 self:capability audit_write; - dontaudit $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_relay }; + dontaudit $1 self:netlink_audit_socket { nlmsg_relay r_netlink_socket_perms }; ') ######################################## @@ -91,7 +91,7 @@ interface(`logging_dontaudit_send_audit_msgs',` # interface(`logging_set_loginuid',` allow $1 self:capability audit_control; - allow $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_relay }; + allow $1 self:netlink_audit_socket { nlmsg_relay r_netlink_socket_perms }; ') ######################################## @@ -105,7 +105,7 @@ interface(`logging_set_loginuid',` ## # interface(`logging_set_tty_audit',` - allow $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_tty_audit }; + allow $1 self:netlink_audit_socket { nlmsg_tty_audit r_netlink_socket_perms }; ') ######################################## @@ -318,7 +318,7 @@ interface(`logging_dispatcher_domain',` allow auditd_t $2:file getattr; domtrans_pattern(audisp_t, $2, $1) - allow audisp_t $1:process { sigkill sigstop signull signal }; + allow audisp_t $1:process { sigkill signal signull sigstop }; allow audisp_t $2:file getattr; allow $1 audisp_t:unix_stream_socket rw_socket_perms; diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te index 9d9a01fcc7..eea78ffc51 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -164,7 +164,7 @@ optional_policy(` allow auditd_t self:capability { chown fsetid sys_nice sys_resource }; dontaudit auditd_t self:capability sys_tty_config; -allow auditd_t self:process { getcap signal_perms setcap setpgid setsched }; +allow auditd_t self:process { getcap setcap setpgid setsched signal_perms }; allow auditd_t self:file rw_file_perms; allow auditd_t self:unix_dgram_socket create_socket_perms; allow auditd_t self:fifo_file rw_fifo_file_perms; @@ -265,7 +265,7 @@ optional_policy(` # allow audisp_t self:capability { dac_override setpcap sys_nice }; -allow audisp_t self:process { getcap signal_perms setcap setsched }; +allow audisp_t self:process { getcap setcap setsched signal_perms }; allow audisp_t self:fifo_file rw_fifo_file_perms; allow audisp_t self:unix_stream_socket create_stream_socket_perms; allow audisp_t self:unix_dgram_socket create_socket_perms; @@ -402,7 +402,7 @@ dontaudit syslogd_t self:cap_userns { kill sys_ptrace }; # getsched for syslog-ng # setsched for rsyslog # getcap/setcap for syslog-ng -allow syslogd_t self:process { getcap setcap signal_perms setpgid setrlimit getsched setsched }; +allow syslogd_t self:process { getcap getsched setcap setpgid setrlimit setsched signal_perms }; # receive messages to be logged allow syslogd_t self:unix_dgram_socket create_socket_perms; allow syslogd_t self:unix_stream_socket create_stream_socket_perms; @@ -511,7 +511,7 @@ ifdef(`init_systemd',` allow syslogd_t self:netlink_audit_socket connected_socket_perms; allow syslogd_t self:capability2 audit_read; allow syslogd_t self:capability { chown setgid setuid sys_ptrace }; - allow syslogd_t self:netlink_audit_socket { getattr getopt read setopt write nlmsg_write }; + allow syslogd_t self:netlink_audit_socket { getattr getopt nlmsg_write read setopt write }; # remove /run/log/journal when switching to permanent storage allow syslogd_t var_log_t:dir rmdir; diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te index 73a7475b7b..9abc417f58 100644 --- a/policy/modules/system/lvm.te +++ b/policy/modules/system/lvm.te @@ -51,7 +51,7 @@ files_type(lvm_var_lib_t) # net_admin for multipath allow lvm_t self:capability { chown dac_override fowner ipc_lock mknod net_admin sys_admin sys_nice sys_rawio sys_resource }; dontaudit lvm_t self:capability sys_tty_config; -allow lvm_t self:process { sigchld sigkill sigstop signull signal setfscreate setrlimit }; +allow lvm_t self:process { setfscreate setrlimit sigchld sigkill signal signull sigstop }; # LVM will complain a lot if it cannot set its priority. allow lvm_t self:process setsched; allow lvm_t self:file rw_file_perms; diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if index c68d11ba0d..8d469b1c5c 100644 --- a/policy/modules/system/miscfiles.if +++ b/policy/modules/system/miscfiles.if @@ -377,7 +377,7 @@ interface(`miscfiles_dontaudit_write_fonts',` type fonts_t; ') - dontaudit $1 fonts_t:dir { write setattr }; + dontaudit $1 fonts_t:dir { setattr write }; dontaudit $1 fonts_t:file write; ') @@ -732,7 +732,7 @@ interface(`miscfiles_delete_man_pages',` ') files_search_usr($1) - allow $1 { man_cache_t man_t }:dir { setattr_dir_perms list_dir_perms }; + allow $1 { man_cache_t man_t }:dir { list_dir_perms setattr_dir_perms }; delete_dirs_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) delete_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) delete_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if index 08ec097794..09e782c6f3 100644 --- a/policy/modules/system/modutils.if +++ b/policy/modules/system/modutils.if @@ -35,7 +35,7 @@ interface(`modutils_read_module_deps',` ') files_list_kernel_modules($1) - allow $1 modules_dep_t:file { read_file_perms map }; + allow $1 modules_dep_t:file { map read_file_perms }; ') ######################################## diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te index 12c4dc4662..3f1f5ec13c 100644 --- a/policy/modules/system/modutils.te +++ b/policy/modules/system/modutils.te @@ -34,7 +34,7 @@ ifdef(`init_systemd',` # allow kmod_t self:capability { dac_override net_raw sys_nice sys_tty_config }; -allow kmod_t self:process { execmem sigchld sigkill sigstop signull signal }; +allow kmod_t self:process { execmem sigchld sigkill signal signull sigstop }; # for the radeon/amdgpu modules dontaudit kmod_t self:capability sys_admin; diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te index 3e1fc4fdec..86a6e55037 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -243,9 +243,9 @@ allow newrole_t self:sock_file read_sock_file_perms; allow newrole_t self:shm create_shm_perms; allow newrole_t self:sem create_sem_perms; allow newrole_t self:msgq create_msgq_perms; -allow newrole_t self:msg { send receive }; +allow newrole_t self:msg { receive send }; allow newrole_t self:unix_dgram_socket sendto; -allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow newrole_t self:unix_stream_socket { connectto create_stream_socket_perms }; allow newrole_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; read_files_pattern(newrole_t, default_context_t, default_context_t) @@ -624,7 +624,7 @@ allow setfiles_t self:fifo_file rw_fifo_file_perms; allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:dir list_dir_perms; allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:file read_file_perms; -allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:lnk_file { read_lnk_file_perms ioctl lock }; +allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:lnk_file { ioctl lock read_lnk_file_perms }; allow setfiles_t file_context_t:file map; kernel_read_system_state(setfiles_t) diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te index 12e66aad94..0a87a8d705 100644 --- a/policy/modules/system/setrans.te +++ b/policy/modules/system/setrans.te @@ -37,7 +37,7 @@ ifdef(`enable_mls',` # allow setrans_t self:capability sys_resource; -allow setrans_t self:process { setrlimit getcap setcap signal_perms }; +allow setrans_t self:process { getcap setcap setrlimit signal_perms }; allow setrans_t self:unix_stream_socket create_stream_socket_perms; allow setrans_t self:unix_dgram_socket create_socket_perms; allow setrans_t self:netlink_selinux_socket create_socket_perms; diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te index b5607a2dad..59e94b4684 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -65,7 +65,7 @@ allow dhcpc_t self:capability { dac_override fsetid net_admin net_bind_service n dontaudit dhcpc_t self:capability { sys_ptrace sys_tty_config }; # for access("/etc/bashrc", X_OK) on Red Hat dontaudit dhcpc_t self:capability { dac_read_search sys_module }; -allow dhcpc_t self:process { getsched getcap setcap setfscreate ptrace signal_perms setrlimit }; +allow dhcpc_t self:process { getcap getsched ptrace setcap setfscreate setrlimit signal_perms }; allow dhcpc_t self:cap_userns { net_bind_service }; allow dhcpc_t self:fifo_file rw_fifo_file_perms; @@ -292,7 +292,7 @@ optional_policy(` allow ifconfig_t self:capability { net_admin net_raw sys_admin sys_tty_config }; dontaudit ifconfig_t self:capability sys_module; -allow ifconfig_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; +allow ifconfig_t self:process { dyntransition getattr getcap getpgid getrlimit getsched getsession noatsecure rlimitinh setcap setkeycreate setpgid setsched setsockcreate share siginh signal_perms transition }; allow ifconfig_t self:fd use; allow ifconfig_t self:fifo_file rw_fifo_file_perms; allow ifconfig_t self:sock_file read_sock_file_perms; @@ -304,7 +304,7 @@ allow ifconfig_t self:unix_stream_socket connectto; allow ifconfig_t self:shm create_shm_perms; allow ifconfig_t self:sem create_sem_perms; allow ifconfig_t self:msgq create_msgq_perms; -allow ifconfig_t self:msg { send receive }; +allow ifconfig_t self:msg { receive send }; # Create UDP sockets, necessary when called from dhcpc allow ifconfig_t self:udp_socket create_socket_perms; # for /sbin/ip diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if index 6c57d48695..a9c8a1a5a0 100644 --- a/policy/modules/system/systemd.if +++ b/policy/modules/system/systemd.if @@ -23,7 +23,7 @@ template(`systemd_role_template',` gen_require(` class service { reload start status stop }; - class system { disable enable reload start stop status }; + class system { disable enable reload start status stop }; attribute systemd_user_session_type, systemd_log_parse_env_type; attribute systemd_user_activated_sock_file_type, systemd_user_unix_stream_activated_socket_type; type systemd_analyze_exec_t; @@ -62,7 +62,7 @@ template(`systemd_role_template',` allow $1_systemd_t self:process { getsched signal }; allow $1_systemd_t self:netlink_kobject_uevent_socket create_socket_perms; allow $1_systemd_t self:unix_stream_socket create_stream_socket_perms; - allow $1_systemd_t $3:process { setsched rlimitinh signal_perms }; + allow $1_systemd_t $3:process { rlimitinh setsched signal_perms }; corecmd_shell_domtrans($1_systemd_t, $3) corecmd_bin_domtrans($1_systemd_t, $3) @@ -170,7 +170,7 @@ template(`systemd_role_template',` allow $3 $1_systemd_t:fifo_file rw_inherited_fifo_file_perms; stream_connect_pattern($3, systemd_user_runtime_t, systemd_user_runtime_t, $1_systemd_t) - allow $3 $1_systemd_t:system { disable enable reload start stop status }; + allow $3 $1_systemd_t:system { disable enable reload start status stop }; allow $3 systemd_user_runtime_t:dir { manage_dir_perms relabel_dir_perms }; allow $3 systemd_user_runtime_t:file { manage_file_perms relabel_file_perms }; @@ -2074,10 +2074,10 @@ interface(`systemd_manage_networkd_units',` interface(`systemd_enabledisable_networkd',` gen_require(` type systemd_networkd_unit_t; - class service { enable disable }; + class service { disable enable }; ') - allow $1 systemd_networkd_unit_t:service { enable disable }; + allow $1 systemd_networkd_unit_t:service { disable enable }; ') ######################################## @@ -2555,13 +2555,13 @@ interface(`systemd_tmpfilesd_managed',` ') allow systemd_tmpfiles_t $1:dir { manage_dir_perms relabel_dir_perms }; - allow systemd_tmpfiles_t $1:file { create setattr unlink write_file_perms relabel_file_perms }; - allow systemd_tmpfiles_t $1:lnk_file { create read setattr unlink relabel_lnk_file_perms }; - allow systemd_tmpfiles_t $1:fifo_file { create setattr unlink relabel_fifo_file_perms }; + allow systemd_tmpfiles_t $1:file { create relabel_file_perms setattr unlink write_file_perms }; + allow systemd_tmpfiles_t $1:lnk_file { create read relabel_lnk_file_perms setattr unlink }; + allow systemd_tmpfiles_t $1:fifo_file { create relabel_fifo_file_perms setattr unlink }; ifelse(`$2',`',`',` refpolicywarn(`$0($*) second parameter is deprecated.') - allow systemd_tmpfiles_t $1:$2 { setattr relabelfrom relabelto create }; + allow systemd_tmpfiles_t $1:$2 { create relabelfrom relabelto setattr }; ') ') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 840682e46e..5b55fa1f65 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -472,13 +472,13 @@ ifdef(`enable_mls',` # coredump local policy # -allow systemd_coredump_t self:capability { dac_read_search setgid setuid setpcap sys_ptrace }; +allow systemd_coredump_t self:capability { dac_read_search setgid setpcap setuid sys_ptrace }; dontaudit systemd_coredump_t self:capability { dac_override net_admin }; allow systemd_coredump_t self:cap_userns { sys_admin sys_ptrace }; allow systemd_coredump_t self:process { getcap setcap setfscreate }; allow systemd_coredump_t self:user_namespace create; -allow systemd_coredump_t self:unix_dgram_socket { create write connect getopt setopt }; -allow systemd_coredump_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow systemd_coredump_t self:unix_dgram_socket { connect create getopt setopt write }; +allow systemd_coredump_t self:unix_stream_socket { connectto create_stream_socket_perms }; allow systemd_coredump_t self:fifo_file rw_inherited_fifo_file_perms; mmap_manage_files_pattern(systemd_coredump_t, systemd_coredump_var_lib_t, systemd_coredump_var_lib_t) @@ -629,7 +629,7 @@ optional_policy(` # systemd-homed policy # -dontaudit systemd_homed_t self:capability { sys_resource sys_admin }; +dontaudit systemd_homed_t self:capability { sys_admin sys_resource }; allow systemd_homed_t self:netlink_kobject_uevent_socket create_socket_perms; nnp_domtrans_pattern(systemd_homed_t, systemd_homework_exec_t, systemd_homework_t) @@ -1095,7 +1095,7 @@ optional_policy(` allow systemd_machined_t self:capability { setgid sys_chroot sys_ptrace }; allow systemd_machined_t self:cap_userns sys_chroot; allow systemd_machined_t self:process setfscreate; -allow systemd_machined_t self:unix_dgram_socket { connected_socket_perms connect }; +allow systemd_machined_t self:unix_dgram_socket { connect connected_socket_perms }; term_create_pty(systemd_machined_t, systemd_machined_devpts_t) allow systemd_machined_t systemd_machined_devpts_t:chr_file manage_chr_file_perms; @@ -1317,8 +1317,8 @@ miscfiles_read_localization(systemd_notify_t) # Nspawn local policy # -allow systemd_nspawn_t self:process { signal getcap setcap setfscreate setrlimit sigkill }; -allow systemd_nspawn_t self:capability { dac_override dac_read_search fsetid mknod net_admin setgid setuid setpcap sys_admin sys_chroot }; +allow systemd_nspawn_t self:process { getcap setcap setfscreate setrlimit sigkill signal }; +allow systemd_nspawn_t self:capability { dac_override dac_read_search fsetid mknod net_admin setgid setpcap setuid sys_admin sys_chroot }; allow systemd_nspawn_t self:capability2 wake_alarm; allow systemd_nspawn_t self:user_namespace create; allow systemd_nspawn_t self:unix_dgram_socket connected_socket_perms; @@ -1468,7 +1468,7 @@ optional_policy(` # systemd_passwd_agent_t local policy # -allow systemd_passwd_agent_t self:capability { chown sys_tty_config dac_override }; +allow systemd_passwd_agent_t self:capability { chown dac_override sys_tty_config }; allow systemd_passwd_agent_t self:process { setfscreate setsockcreate signal }; allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms; @@ -1591,7 +1591,7 @@ logging_send_syslog_msg(systemd_pstore_t) # Rfkill local policy # -allow systemd_rfkill_t self:netlink_kobject_uevent_socket { bind create getattr read getopt setopt }; +allow systemd_rfkill_t self:netlink_kobject_uevent_socket { bind create getattr getopt read setopt }; manage_dirs_pattern(systemd_rfkill_t, systemd_rfkill_var_lib_t, systemd_rfkill_var_lib_t) manage_files_pattern(systemd_rfkill_t, systemd_rfkill_var_lib_t, systemd_rfkill_var_lib_t) @@ -1681,7 +1681,7 @@ optional_policy(` # Socket-proxyd local policy # -allow systemd_socket_proxyd_t self:unix_dgram_socket { create create_socket_perms getopt setopt sendto read write }; +allow systemd_socket_proxyd_t self:unix_dgram_socket { create create_socket_perms getopt read sendto setopt write }; allow systemd_socket_proxyd_t self:tcp_socket accept; kernel_read_system_state(systemd_socket_proxyd_t) @@ -1758,7 +1758,7 @@ systemd_log_parse_environment(systemd_sysctl_t) # Sysusers local policy # -allow systemd_sysusers_t self:capability { dac_read_search chown fsetid }; +allow systemd_sysusers_t self:capability { chown dac_read_search fsetid }; allow systemd_sysusers_t self:process setfscreate; allow systemd_sysusers_t self:unix_dgram_socket sendto; @@ -1786,7 +1786,7 @@ systemd_log_parse_environment(systemd_sysusers_t) # allow systemd_tmpfiles_t self:capability { chown dac_override dac_read_search fowner fsetid mknod net_admin sys_admin }; -allow systemd_tmpfiles_t self:process { setfscreate getcap }; +allow systemd_tmpfiles_t self:process { getcap setfscreate }; allow systemd_tmpfiles_t systemd_coredump_var_lib_t:dir { manage_dir_perms relabel_dir_perms }; allow systemd_tmpfiles_t systemd_coredump_var_lib_t:file manage_file_perms; @@ -1970,7 +1970,7 @@ allow systemd_user_session_type self:bpf { prog_load prog_run }; allow systemd_user_session_type self:capability { dac_read_search sys_resource }; dontaudit systemd_user_session_type self:capability dac_override; allow systemd_user_session_type self:fifo_file rw_fifo_file_perms; -allow systemd_user_session_type self:process { setfscreate setsockcreate setcap getcap }; +allow systemd_user_session_type self:process { getcap setcap setfscreate setsockcreate }; allow systemd_user_session_type self:udp_socket create_socket_perms; allow systemd_user_session_type self:unix_stream_socket create_stream_socket_perms; allow systemd_user_session_type self:netlink_kobject_uevent_socket { bind create getattr read setopt }; @@ -2087,7 +2087,7 @@ systemd_log_parse_environment(systemd_userdbd_t) # systemd-user-runtime-dir local policy # -allow systemd_user_runtime_dir_t self:capability { fowner chown sys_admin dac_read_search dac_override }; +allow systemd_user_runtime_dir_t self:capability { chown dac_override dac_read_search fowner sys_admin }; allow systemd_user_runtime_dir_t self:process setfscreate; domain_obj_id_change_exemption(systemd_user_runtime_dir_t) diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te index aac135f9fa..b2e43aa7d2 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -39,16 +39,16 @@ optional_policy(` # allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid mknod net_admin net_raw setgid setuid sys_admin sys_nice sys_ptrace sys_rawio sys_resource }; -allow udev_t self:capability2 { wake_alarm block_suspend }; -allow udev_t self:process { transition signal_perms ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh rlimitinh dyntransition execmem setkeycreate setsockcreate getrlimit setrlimit }; +allow udev_t self:capability2 { block_suspend wake_alarm }; +allow udev_t self:process { dyntransition execmem getattr getcap getpgid getrlimit getsched getsession noatsecure ptrace rlimitinh setcap setfscreate setkeycreate setpgid setrlimit setsched setsockcreate share siginh signal_perms transition }; allow udev_t self:fd use; allow udev_t self:fifo_file rw_fifo_file_perms; allow udev_t self:sock_file read_sock_file_perms; allow udev_t self:shm create_shm_perms; allow udev_t self:sem create_sem_perms; allow udev_t self:msgq create_msgq_perms; -allow udev_t self:msg { send receive }; -allow udev_t self:unix_stream_socket { listen accept }; +allow udev_t self:msg { receive send }; +allow udev_t self:unix_stream_socket { accept listen }; allow udev_t self:unix_dgram_socket sendto; allow udev_t self:unix_stream_socket connectto; allow udev_t self:netlink_kobject_uevent_socket create_socket_perms; diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if index 658fc22187..c870bcc009 100644 --- a/policy/modules/system/unconfined.if +++ b/policy/modules/system/unconfined.if @@ -36,13 +36,13 @@ interface(`unconfined_domain_noaudit',` unconfined_stub($1) # Use most Linux capabilities - allow $1 self:{ capability cap_userns } { chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap }; - allow $1 self:{ capability2 cap2_userns } { syslog wake_alarm bpf perfmon }; + allow $1 self:{ capability cap_userns } { audit_control audit_write chown dac_override dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable mknod net_admin net_bind_service net_broadcast net_raw setfcap setgid setpcap setuid sys_admin sys_boot sys_chroot sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config }; + allow $1 self:{ capability2 cap2_userns } { bpf perfmon syslog wake_alarm }; allow $1 self:fifo_file manage_fifo_file_perms; # Manage most namespace capabilities allow $1 self:cap_userns { audit_write chown dac_override dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable mknod net_admin net_bind_service net_raw setfcap setgid setpcap setuid sys_admin sys_boot sys_chroot sys_module sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config }; - allow $1 self:cap2_userns { audit_read bpf block_suspend mac_admin mac_override perfmon syslog wake_alarm }; + allow $1 self:cap2_userns { audit_read block_suspend bpf mac_admin mac_override perfmon syslog wake_alarm }; # Transition to myself, to make get_ordered_context_list happy. allow $1 self:process transition; @@ -51,10 +51,10 @@ interface(`unconfined_domain_noaudit',` allow $1 self:file rw_file_perms; # Userland object managers - allow $1 self:nscd { getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost getserv shmemserv }; + allow $1 self:nscd { admin getgrp gethost getpwd getserv getstat shmemgrp shmemhost shmempwd shmemserv }; allow $1 self:dbus { acquire_svc send_msg }; - allow $1 self:passwd { passwd chfn chsh rootok crontab }; - allow $1 self:association { sendto recvfrom setcontext polmatch }; + allow $1 self:passwd { chfn chsh crontab passwd rootok }; + allow $1 self:association { polmatch recvfrom sendto setcontext }; kernel_unconfined($1) corenet_unconfined($1) @@ -83,7 +83,7 @@ interface(`unconfined_domain_noaudit',` tunable_policy(`allow_execstack',` # Allow making the stack executable via mprotect; # execstack implies execmem; - allow $1 self:process { execstack execmem }; + allow $1 self:process { execmem execstack }; # auditallow $1 self:process execstack; ') diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te index 6c9769b047..68b78ff24d 100644 --- a/policy/modules/system/unconfined.te +++ b/policy/modules/system/unconfined.te @@ -57,7 +57,7 @@ ifdef(`direct_sysadm_daemon',` ifdef(`init_systemd',` gen_require(` - class system { status start stop reload }; + class system { reload start status stop }; ') # for systemd-analyze @@ -65,7 +65,7 @@ ifdef(`init_systemd',` # for systemd --user: init_linkable_keyring(unconfined_t) init_pgm_spec_user_daemon_domain(unconfined_t) - allow unconfined_t self:system { status start stop reload }; + allow unconfined_t self:system { reload start status stop }; optional_policy(` systemd_dbus_chat_resolved(unconfined_t) @@ -244,7 +244,7 @@ optional_policy(` # Unconfined Execmem Local policy # -allow unconfined_execmem_t self:process { execstack execmem }; +allow unconfined_execmem_t self:process { execmem execstack }; unconfined_domain_noaudit(unconfined_execmem_t) optional_policy(` diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index 658ffee07b..a2a96e263c 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -46,25 +46,25 @@ template(`userdom_base_user_template',` term_user_tty($1_t, user_tty_device_t) - allow $1_t self:process { signal_perms getsched setsched share getpgid setpgid setcap getsession getattr }; + allow $1_t self:process { getattr getpgid getsched getsession setcap setpgid setsched share signal_perms }; allow $1_t self:fd use; allow $1_t self:key manage_key_perms; allow $1_t self:fifo_file rw_fifo_file_perms; allow $1_t self:unix_dgram_socket { create_socket_perms sendto }; - allow $1_t self:unix_stream_socket { create_stream_socket_perms connectto }; + allow $1_t self:unix_stream_socket { connectto create_stream_socket_perms }; allow $1_t self:shm create_shm_perms; allow $1_t self:sem create_sem_perms; allow $1_t self:msgq create_msgq_perms; - allow $1_t self:msg { send receive }; + allow $1_t self:msg { receive send }; allow $1_t self:context contains; dontaudit $1_t self:socket create; - allow $1_t user_devpts_t:chr_file { setattr rw_chr_file_perms }; + allow $1_t user_devpts_t:chr_file { rw_chr_file_perms setattr }; term_create_pty($1_t, user_devpts_t) # avoid annoying messages on terminal hangup on role change dontaudit $1_t user_devpts_t:chr_file ioctl; - allow $1_t user_tty_device_t:chr_file { setattr rw_chr_file_perms }; + allow $1_t user_tty_device_t:chr_file { rw_chr_file_perms setattr }; # avoid annoying messages on terminal hangup on role change dontaudit $1_t user_tty_device_t:chr_file ioctl; @@ -327,11 +327,11 @@ interface(`userdom_ro_home_role',` read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) files_list_home($2) - allow $2 { user_home_t user_home_dir_t }:dir { watch watch_mount watch_sb watch_with_perm watch_reads }; - allow $2 user_home_t:file { watch watch_mount watch_sb watch_with_perm watch_reads }; - allow $2 user_home_t:lnk_file { watch watch_mount watch_sb watch_with_perm watch_reads }; - allow $2 user_home_t:sock_file { watch watch_mount watch_sb watch_with_perm watch_reads }; - allow $2 user_home_t:fifo_file { watch watch_mount watch_sb watch_with_perm watch_reads }; + allow $2 { user_home_t user_home_dir_t }:dir { watch watch_mount watch_reads watch_sb watch_with_perm }; + allow $2 user_home_t:file { watch watch_mount watch_reads watch_sb watch_with_perm }; + allow $2 user_home_t:lnk_file { watch watch_mount watch_reads watch_sb watch_with_perm }; + allow $2 user_home_t:sock_file { watch watch_mount watch_reads watch_sb watch_with_perm }; + allow $2 user_home_t:fifo_file { watch watch_mount watch_reads watch_sb watch_with_perm }; tunable_policy(`use_nfs_home_dirs',` fs_list_nfs($2) @@ -415,11 +415,11 @@ interface(`userdom_manage_home_role',` # cjp: this should probably be removed: allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms }; - allow $2 { user_home_t user_home_dir_t }:dir { watch watch_mount watch_sb watch_with_perm watch_reads }; - allow $2 user_home_t:file { watch watch_mount watch_sb watch_with_perm watch_reads }; - allow $2 user_home_t:lnk_file { watch watch_mount watch_sb watch_with_perm watch_reads }; - allow $2 user_home_t:sock_file { watch watch_mount watch_sb watch_with_perm watch_reads }; - allow $2 user_home_t:fifo_file { watch watch_mount watch_sb watch_with_perm watch_reads }; + allow $2 { user_home_t user_home_dir_t }:dir { watch watch_mount watch_reads watch_sb watch_with_perm }; + allow $2 user_home_t:file { watch watch_mount watch_reads watch_sb watch_with_perm }; + allow $2 user_home_t:lnk_file { watch watch_mount watch_reads watch_sb watch_with_perm }; + allow $2 user_home_t:sock_file { watch watch_mount watch_reads watch_sb watch_with_perm }; + allow $2 user_home_t:fifo_file { watch watch_mount watch_reads watch_sb watch_with_perm }; userdom_manage_user_bin($2) userdom_exec_user_bin_files($2) @@ -643,8 +643,8 @@ template(`userdom_common_user_template',` # # evolution and gnome-session try to create a netlink socket - dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; - dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; + dontaudit $1_t self:netlink_socket { append bind connect create getattr getopt ioctl read setattr setopt shutdown write }; + dontaudit $1_t self:netlink_route_socket { append bind connect create getattr getopt ioctl nlmsg_read nlmsg_write read setattr setopt shutdown write }; # gnome-settings-daemon and some applications create a netlink socket allow $1_t self:netlink_kobject_uevent_socket create_socket_perms; @@ -984,9 +984,9 @@ template(`userdom_login_user_template', ` allow $1_t self:capability { chown fowner setgid }; dontaudit $1_t self:capability { fsetid sys_nice }; - allow $1_t self:process { transition signal_perms ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; + allow $1_t self:process { dyntransition getattr getcap getpgid getrlimit getsched getsession noatsecure ptrace rlimitinh setcap setfscreate setkeycreate setpgid setsched setsockcreate share siginh signal_perms transition }; dontaudit $1_t self:process setrlimit; - dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; + dontaudit $1_t self:netlink_route_socket { append bind connect create getattr getopt ioctl nlmsg_read nlmsg_write read setattr setopt shutdown write }; allow $1_t self:context contains; @@ -1329,7 +1329,7 @@ template(`userdom_unpriv_user_template', ` template(`userdom_admin_user_template',` gen_require(` attribute admindomain; - class passwd { passwd chfn chsh rootok }; + class passwd { chfn chsh passwd rootok }; ') ############################## @@ -1355,14 +1355,14 @@ template(`userdom_admin_user_template',` # $1_t local policy # - allow $1_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease setfcap }; + allow $1_t self:capability { chown dac_override dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable mknod net_admin net_bind_service net_broadcast net_raw setfcap setgid setpcap setuid sys_admin sys_boot sys_chroot sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config }; allow $1_t self:cap_userns sys_ptrace; allow $1_t self:process { setexec setfscreate }; allow $1_t self:netlink_audit_socket nlmsg_readpriv; allow $1_t self:netlink_tcpdiag_socket create_netlink_socket_perms; allow $1_t self:tun_socket create; # Set password information for other users. - allow $1_t self:passwd { passwd chfn chsh }; + allow $1_t self:passwd { chfn chsh passwd }; # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te index 6202a10533..c2cba693e6 100644 --- a/policy/modules/system/xen.te +++ b/policy/modules/system/xen.te @@ -258,7 +258,7 @@ xen_append_log(xenstored_t) # allow xm_t self:capability { dac_override ipc_lock net_admin setpcap sys_nice sys_tty_config }; -allow xm_t self:process { getcap getsched setsched setcap signal sigkill }; +allow xm_t self:process { getcap getsched setcap setsched sigkill signal }; allow xm_t self:fifo_file rw_fifo_file_perms; allow xm_t self:unix_stream_socket { accept connectto listen }; allow xm_t self:tcp_socket { accept listen };