Written by: Martin Orr Use macros in places where Debian packages need open perms added Index: policy/modules/admin/logrotate.if =================================================================== --- policy/modules/admin/logrotate.if.orig +++ policy/modules/admin/logrotate.if @@ -97,7 +97,7 @@ type logrotate_var_lib_t; ') - allow $1 logrotate_var_lib_t:dir search; + allow $1 logrotate_var_lib_t:dir search_dir_perms; ') ######################################## Index: policy/modules/system/logging.if =================================================================== --- policy/modules/system/logging.if.orig +++ policy/modules/system/logging.if @@ -932,7 +932,7 @@ type xconsole_device_t; ') - allow $1 xconsole_device_t:fifo_file { getattr read }; + allow $1 xconsole_device_t:fifo_file read_fifo_file_perms; ') ######################################## ## Index: policy/modules/kernel/devices.if =================================================================== --- policy/modules/kernel/devices.if.orig +++ policy/modules/kernel/devices.if @@ -150,7 +150,7 @@ relabelfrom_sock_files_pattern($1, device_t, device_node) relabel_blk_files_pattern($1, device_t, { device_t device_node }) relabel_chr_files_pattern($1, device_t, { device_t device_node }) - allow $1 tmpfs_t:chr_file { read write }; + allow $1 tmpfs_t:chr_file rw_file_perms; ') ######################################## @@ -801,7 +801,7 @@ type device_t; ') allow $1 device_t:dir add_entry_dir_perms; - allow $1 device_t:fifo_file { getattr create }; + allow $1 device_t:fifo_file create_fifo_file_perms; allow $1 device_t:dir search_dir_perms; allow $1 device_t:file setattr_file_perms; ') Index: policy/modules/admin/dpkg.te =================================================================== --- policy/modules/admin/dpkg.te.orig +++ policy/modules/admin/dpkg.te @@ -183,7 +183,7 @@ # since the scripts are not labeled correctly yet... allow dpkg_t dpkg_var_lib_t:file mmap_file_perms; # This is used for running config files for debconf interactions -allow dpkg_t dpkg_tmp_t:file { execute execute_no_trans }; +allow dpkg_t dpkg_tmp_t:file exec_file_perms; optional_policy(` apt_use_ptys(dpkg_t) Index: policy/modules/kernel/filesystem.if =================================================================== --- policy/modules/kernel/filesystem.if.orig +++ policy/modules/kernel/filesystem.if @@ -4077,7 +4077,7 @@ type tmpfs_t; ') - allow $1 tmpfs_t:file read; + allow $1 tmpfs_t:file read_file_perms; ') ######################################## Index: policy/modules/system/init.te =================================================================== --- policy/modules/system/init.te.orig +++ policy/modules/system/init.te @@ -453,7 +453,7 @@ # /etc/network/if-up.d/mountnfs wants to mkdir # /var/run/network/mountnfs as a poor mans lock - allow initrc_t var_run_t:dir create; + allow initrc_t var_run_t:dir create_dir_perms; # for lsb_release which calls apt-cache apt_read_cache(initrc_t) Index: policy/modules/system/logging.te =================================================================== --- policy/modules/system/logging.te.orig +++ policy/modules/system/logging.te @@ -393,7 +393,7 @@ rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t) # for rsyslogd, this access is harmless so making it unconditional -allow syslogd_t proc_t:file { getattr read }; +allow syslogd_t proc_t:file read_file_perms; # Allow access for syslog-ng allow syslogd_t var_log_t:dir { create setattr }; Index: policy/modules/services/clamav.te =================================================================== --- policy/modules/services/clamav.te.orig +++ policy/modules/services/clamav.te @@ -121,7 +121,7 @@ corecmd_exec_shell(clamd_t) # for /proc/meminfo -allow clamd_t proc_t:file { getattr read }; +allow clamd_t proc_t:file read_file_perms; corenet_all_recvfrom_unlabeled(clamd_t) corenet_all_recvfrom_netlabel(clamd_t) Index: policy/modules/services/spamassassin.if =================================================================== --- policy/modules/services/spamassassin.if.orig +++ policy/modules/services/spamassassin.if @@ -242,6 +242,6 @@ ') allow $1 spamd_var_run_t:dir search_dir_perms; - allow $1 spamd_var_run_t:sock_file write; + allow $1 spamd_var_run_t:sock_file write_sock_file_perms; allow $1 spamd_t:unix_stream_socket connectto; ')