commit: edc91c3a2edac1ca2915691a16060d6b53704b40 Author: Kenton Groombridge <me <AT> concord <DOT> sh> AuthorDate: Mon Dec 12 15:35:32 2022 +0000 Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org> CommitDate: Tue Dec 13 19:07:47 2022 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=edc91c3a
various: use mmap_manage_file_perms Replace instances of manage_file_perms and map with mmap_manage_file_perms Signed-off-by: Kenton Groombridge <me <AT> concord.sh> Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org> policy/modules/admin/alsa.te | 2 +- policy/modules/admin/apt.if | 2 +- policy/modules/apps/mozilla.te | 2 +- policy/modules/apps/pulseaudio.if | 2 +- policy/modules/apps/pulseaudio.te | 2 +- policy/modules/services/aptcacher.te | 2 +- policy/modules/services/mailman.te | 8 ++++---- policy/modules/services/matrixd.te | 2 +- policy/modules/services/nsd.te | 2 +- policy/modules/services/postfix.te | 2 +- 10 files changed, 13 insertions(+), 13 deletions(-) diff --git a/policy/modules/admin/alsa.te b/policy/modules/admin/alsa.te index 2f6efcbeb..3b6a129c1 100644 --- a/policy/modules/admin/alsa.te +++ b/policy/modules/admin/alsa.te @@ -68,7 +68,7 @@ manage_files_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t) files_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file }) userdom_user_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file }) -allow alsa_t alsa_tmpfs_t:file { manage_file_perms map }; +allow alsa_t alsa_tmpfs_t:file mmap_manage_file_perms; fs_tmpfs_filetrans(alsa_t, alsa_tmpfs_t, file) manage_dirs_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t) diff --git a/policy/modules/admin/apt.if b/policy/modules/admin/apt.if index 6d5d3f33a..5787e9804 100644 --- a/policy/modules/admin/apt.if +++ b/policy/modules/admin/apt.if @@ -191,7 +191,7 @@ interface(`apt_manage_cache',` files_search_var($1) allow $1 apt_var_cache_t:dir manage_dir_perms; - allow $1 apt_var_cache_t:file { manage_file_perms map }; + allow $1 apt_var_cache_t:file mmap_manage_file_perms; ') ######################################## diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te index 03a9b9d6e..ba6b2376c 100644 --- a/policy/modules/apps/mozilla.te +++ b/policy/modules/apps/mozilla.te @@ -86,7 +86,7 @@ allow mozilla_t mozilla_plugin_t:unix_stream_socket rw_socket_perms; allow mozilla_t mozilla_plugin_t:fd use; allow mozilla_t { mozilla_home_t mozilla_plugin_home_t }:dir manage_dir_perms; -allow mozilla_t { mozilla_home_t mozilla_plugin_home_t }:file { manage_file_perms map }; +allow mozilla_t { mozilla_home_t mozilla_plugin_home_t }:file mmap_manage_file_perms; allow mozilla_t mozilla_home_t:lnk_file manage_lnk_file_perms; userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".galeon") userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".mozilla") diff --git a/policy/modules/apps/pulseaudio.if b/policy/modules/apps/pulseaudio.if index b2d2f1d43..c7df8b8a7 100644 --- a/policy/modules/apps/pulseaudio.if +++ b/policy/modules/apps/pulseaudio.if @@ -45,7 +45,7 @@ template(`pulseaudio_role',` allow $2 pulseaudio_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:dir { manage_dir_perms relabel_dir_perms }; - allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:file { manage_file_perms relabel_file_perms map }; + allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:file { mmap_manage_file_perms relabel_file_perms }; allow $2 pulseaudio_tmp_t:dir { manage_dir_perms relabel_dir_perms }; allow $2 pulseaudio_tmp_t:file { manage_file_perms relabel_file_perms }; diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te index 2bb0ee79e..b26123e86 100644 --- a/policy/modules/apps/pulseaudio.te +++ b/policy/modules/apps/pulseaudio.te @@ -59,7 +59,7 @@ allow pulseaudio_t self:tcp_socket { accept listen }; allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms; allow pulseaudio_t pulseaudio_home_t:dir manage_dir_perms; -allow pulseaudio_t pulseaudio_home_t:file { manage_file_perms map }; +allow pulseaudio_t pulseaudio_home_t:file mmap_manage_file_perms; allow pulseaudio_t pulseaudio_home_t:lnk_file manage_lnk_file_perms; userdom_user_home_dir_filetrans(pulseaudio_t, pulseaudio_home_t, dir, ".pulse") diff --git a/policy/modules/services/aptcacher.te b/policy/modules/services/aptcacher.te index ac29c8728..10a0e54e1 100644 --- a/policy/modules/services/aptcacher.te +++ b/policy/modules/services/aptcacher.te @@ -51,7 +51,7 @@ allow aptcacher_t aptcacher_conf_t:file mmap_read_file_perms; allow aptcacher_t aptcacher_conf_t:lnk_file read_lnk_file_perms; allow aptcacher_t aptcacher_cache_t:dir manage_dir_perms; -allow aptcacher_t aptcacher_cache_t:file { manage_file_perms map }; +allow aptcacher_t aptcacher_cache_t:file mmap_manage_file_perms; allow aptcacher_t aptcacher_cache_t:lnk_file manage_lnk_file_perms; allow aptcacher_t aptcacher_lib_t:file map; diff --git a/policy/modules/services/mailman.te b/policy/modules/services/mailman.te index 97a000d27..fe52b6fd8 100644 --- a/policy/modules/services/mailman.te +++ b/policy/modules/services/mailman.te @@ -109,7 +109,7 @@ allow mailman_cgi_t mailman_archive_t:dir search_dir_perms; allow mailman_cgi_t mailman_archive_t:file read_file_perms; allow mailman_cgi_t mailman_data_t:dir rw_dir_perms; -allow mailman_cgi_t mailman_data_t:file { map manage_file_perms }; +allow mailman_cgi_t mailman_data_t:file mmap_manage_file_perms; allow mailman_cgi_t mailman_data_t:lnk_file read_lnk_file_perms; allow mailman_cgi_t mailman_lock_t:dir manage_dir_perms; @@ -123,7 +123,7 @@ allow mailman_cgi_t mailman_runtime_t:file read_file_perms; allow mailman_cgi_t mailman_runtime_t:sock_file manage_sock_file_perms; fs_tmpfs_filetrans(mailman_cgi_t, mailman_cgi_tmpfs_t, file) -allow mailman_cgi_t mailman_cgi_tmpfs_t:file { map manage_file_perms }; +allow mailman_cgi_t mailman_cgi_tmpfs_t:file mmap_manage_file_perms; kernel_read_net_sysctls(mailman_cgi_t) kernel_read_system_state(mailman_cgi_t) @@ -283,7 +283,7 @@ allow mailman_queue_t mailman_archive_t:dir manage_dir_perms; allow mailman_queue_t mailman_archive_t:file manage_file_perms; allow mailman_queue_t mailman_data_t:dir rw_dir_perms; -allow mailman_queue_t mailman_data_t:file { map manage_file_perms }; +allow mailman_queue_t mailman_data_t:file mmap_manage_file_perms; allow mailman_queue_t mailman_data_t:lnk_file read_lnk_file_perms; allow mailman_queue_t mailman_lock_t:dir rw_dir_perms; @@ -293,7 +293,7 @@ allow mailman_queue_t mailman_log_t:dir list_dir_perms; allow mailman_queue_t mailman_log_t:file manage_file_perms; fs_tmpfs_filetrans(mailman_queue_t, mailman_queue_tmpfs_t, file) -allow mailman_queue_t mailman_queue_tmpfs_t:file { map manage_file_perms }; +allow mailman_queue_t mailman_queue_tmpfs_t:file mmap_manage_file_perms; kernel_read_network_state(mailman_queue_t) kernel_read_system_state(mailman_queue_t) diff --git a/policy/modules/services/matrixd.te b/policy/modules/services/matrixd.te index 394969cbc..4ac31d901 100644 --- a/policy/modules/services/matrixd.te +++ b/policy/modules/services/matrixd.te @@ -51,7 +51,7 @@ allow matrixd_t self:unix_dgram_socket create_socket_perms; # https://cffi.readthedocs.io/en/latest/using.html#callbacks allow matrixd_t self:process { getsched execmem }; -allow matrixd_t matrixd_tmp_t:file { manage_file_perms map }; +allow matrixd_t matrixd_tmp_t:file mmap_manage_file_perms; files_tmp_filetrans(matrixd_t, matrixd_tmp_t, file) fs_tmpfs_filetrans(matrixd_t, matrixd_tmp_t, file) diff --git a/policy/modules/services/nsd.te b/policy/modules/services/nsd.te index 3cf2b363a..ee161f791 100644 --- a/policy/modules/services/nsd.te +++ b/policy/modules/services/nsd.te @@ -44,7 +44,7 @@ allow nsd_t nsd_conf_t:dir list_dir_perms; allow nsd_t nsd_conf_t:file read_file_perms; allow nsd_t nsd_conf_t:lnk_file read_lnk_file_perms; -allow nsd_t nsd_db_t:file { manage_file_perms map }; +allow nsd_t nsd_db_t:file mmap_manage_file_perms; filetrans_pattern(nsd_t, nsd_zone_t, nsd_db_t, file) manage_files_pattern(nsd_t, nsd_runtime_t, nsd_runtime_t) diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te index c58b11e0b..e546e7e62 100644 --- a/policy/modules/services/postfix.te +++ b/policy/modules/services/postfix.te @@ -508,7 +508,7 @@ allow postfix_map_t self:capability { dac_read_search dac_override setgid setuid allow postfix_map_t self:tcp_socket { accept listen }; allow postfix_map_t postfix_etc_t:dir manage_dir_perms; -allow postfix_map_t postfix_etc_t:file { manage_file_perms map }; +allow postfix_map_t postfix_etc_t:file mmap_manage_file_perms; allow postfix_map_t postfix_etc_t:lnk_file manage_lnk_file_perms; manage_dirs_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)