Merge pull request #788 from freedom1b2830/main

C-005 Cleanup (Reorder perms and classes)(rebased)

doc/example.te

@@ -22,7 +22,7 @@ files_tmp_file(myapp_tmp_t)
 # Myapp local policy
 #
 
-allow myapp_t myapp_log_t:file { read_file_perms append_file_perms };
+allow myapp_t myapp_log_t:file { append_file_perms read_file_perms };
 
 allow myapp_t myapp_tmp_t:file manage_file_perms;
 files_tmp_filetrans(myapp_t,myapp_tmp_t,file)

policy/modules/admin/amanda.if

@@ -138,7 +138,7 @@ interface(`amanda_append_log_files',`
 	')
 
 	logging_search_logs($1)
-	allow $1 amanda_log_t:file { read_file_perms append_file_perms };
+	allow $1 amanda_log_t:file { append_file_perms read_file_perms };
 ')
 
 #######################################

policy/modules/admin/amanda.te

@@ -140,7 +140,7 @@ logging_send_syslog_msg(amanda_t)
 #
 
 allow amanda_recover_t self:capability { chown dac_override fowner fsetid kill setgid setuid };
-allow amanda_recover_t self:process { sigkill sigstop signal };
+allow amanda_recover_t self:process { sigkill signal sigstop };
 allow amanda_recover_t self:fifo_file rw_fifo_file_perms;
 allow amanda_recover_t self:unix_stream_socket create_socket_perms;
 allow amanda_recover_t self:tcp_socket { accept listen };

policy/modules/admin/anaconda.te

@@ -22,7 +22,7 @@ role system_r types anaconda_t;
 #
 
 allow anaconda_t self:process execmem;
-allow anaconda_t self:passwd { rootok passwd chfn chsh };
+allow anaconda_t self:passwd { chfn chsh passwd rootok };
 
 kernel_domtrans_to(anaconda_t, anaconda_exec_t)
 

policy/modules/admin/apt.te

@@ -40,7 +40,7 @@ logging_log_file(apt_var_log_t)
 #
 
 allow apt_t self:capability { chown dac_override fowner fsetid kill setgid setuid };
-allow apt_t self:process { signal setpgid fork };
+allow apt_t self:process { fork setpgid signal };
 allow apt_t self:fd use;
 allow apt_t self:fifo_file rw_fifo_file_perms;
 allow apt_t self:unix_dgram_socket sendto;
@@ -50,7 +50,7 @@ allow apt_t self:tcp_socket create_stream_socket_perms;
 allow apt_t self:shm create_shm_perms;
 allow apt_t self:sem create_sem_perms;
 allow apt_t self:msgq create_msgq_perms;
-allow apt_t self:msg { send receive };
+allow apt_t self:msg { receive send };
 allow apt_t self:netlink_route_socket r_netlink_socket_perms;
 
 allow apt_t apt_lock_t:dir manage_dir_perms;

policy/modules/admin/blueman.te

@@ -21,7 +21,7 @@ files_type(blueman_var_lib_t)
 #
 
 allow blueman_t self:capability { net_admin sys_nice };
-allow blueman_t self:process { signal_perms setsched };
+allow blueman_t self:process { setsched signal_perms };
 allow blueman_t self:fifo_file rw_fifo_file_perms;
 
 manage_dirs_pattern(blueman_t, blueman_var_lib_t, blueman_var_lib_t)

policy/modules/admin/bootloader.te

@@ -43,7 +43,7 @@ dev_node(bootloader_tmp_t)
 
 allow bootloader_t self:capability { chown dac_override dac_read_search fsetid mknod setgid sys_admin sys_rawio };
 dontaudit bootloader_t self:capability { net_admin sys_resource };
-allow bootloader_t self:process { signal_perms execmem };
+allow bootloader_t self:process { execmem signal_perms };
 allow bootloader_t self:fifo_file rw_fifo_file_perms;
 
 allow bootloader_t bootloader_etc_t:file read_file_perms;
@@ -203,7 +203,7 @@ ifdef(`distro_redhat',`
 	# for memlock
 	allow bootloader_t self:capability ipc_lock;
 
-	allow bootloader_t boot_runtime_t:file { read_file_perms delete_file_perms };
+	allow bootloader_t boot_runtime_t:file { delete_file_perms read_file_perms };
 
 	# new file system defaults to unlabeled, granting unlabeled access is still bad.
 	kernel_manage_unlabeled_dirs(bootloader_t)

policy/modules/admin/certwatch.te

@@ -19,7 +19,7 @@ role certwatch_roles types certwatch_t;
 #
 
 allow certwatch_t self:capability sys_nice;
-allow certwatch_t self:process { setsched getsched };
+allow certwatch_t self:process { getsched setsched };
 
 dev_read_urand(certwatch_t)
 

policy/modules/admin/cloudinit.te

@@ -51,7 +51,7 @@ allow cloud_init_t self:fifo_file rw_fifo_file_perms;
 allow cloud_init_t self:unix_dgram_socket create_socket_perms;
 allow cloud_init_t self:passwd passwd;
 
-allow cloud_init_t cloud_init_log_t:file { create_file_perms append_file_perms read setattr };
+allow cloud_init_t cloud_init_log_t:file { append_file_perms create_file_perms read setattr };
 logging_log_filetrans(cloud_init_t, cloud_init_log_t, file)
 
 manage_files_pattern(cloud_init_t, cloud_init_runtime_t, cloud_init_runtime_t)

policy/modules/admin/consoletype.te

@@ -16,7 +16,7 @@ init_system_domain(consoletype_t, consoletype_exec_t)
 #
 
 allow consoletype_t self:capability { sys_admin sys_tty_config };
-allow consoletype_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
+allow consoletype_t self:process { dyntransition getattr getcap getpgid getrlimit getsched getsession noatsecure rlimitinh setcap setkeycreate setpgid setsched setsockcreate share siginh signal_perms transition };
 allow consoletype_t self:fd use;
 allow consoletype_t self:fifo_file rw_fifo_file_perms;
 allow consoletype_t self:sock_file read_sock_file_perms;
@@ -27,7 +27,7 @@ allow consoletype_t self:unix_stream_socket connectto;
 allow consoletype_t self:shm create_shm_perms;
 allow consoletype_t self:sem create_sem_perms;
 allow consoletype_t self:msgq create_msgq_perms;
-allow consoletype_t self:msg { send receive };
+allow consoletype_t self:msg { receive send };
 
 kernel_use_fds(consoletype_t)
 kernel_dontaudit_read_system_state(consoletype_t)

policy/modules/admin/dphysswapfile.te

@@ -29,7 +29,7 @@ init_unit_file(dphysswapfile_unit_t)
 # sys_admin : swapon
 allow dphysswapfile_t self:capability sys_admin;
 allow dphysswapfile_t self:fifo_file rw_fifo_file_perms;
-allow dphysswapfile_t self:unix_stream_socket { create connect };
+allow dphysswapfile_t self:unix_stream_socket { connect create };
 
 allow dphysswapfile_t dphysswapfile_conf_t:file read_file_perms;
 

policy/modules/admin/dpkg.te

@@ -54,7 +54,7 @@ files_tmpfs_file(dpkg_script_tmpfs_t)
 #
 
 allow dpkg_t self:capability { chown dac_override fowner fsetid kill linux_immutable mknod setgid setuid sys_nice sys_resource sys_tty_config };
-allow dpkg_t self:process { setpgid fork getsched setfscreate };
+allow dpkg_t self:process { fork getsched setfscreate setpgid };
 allow dpkg_t self:fd use;
 allow dpkg_t self:fifo_file rw_fifo_file_perms;
 allow dpkg_t self:unix_dgram_socket create_socket_perms;
@@ -66,7 +66,7 @@ allow dpkg_t self:tcp_socket create_stream_socket_perms;
 allow dpkg_t self:shm create_shm_perms;
 allow dpkg_t self:sem create_sem_perms;
 allow dpkg_t self:msgq create_msgq_perms;
-allow dpkg_t self:msg { send receive };
+allow dpkg_t self:msg { receive send };
 
 allow dpkg_t dpkg_lock_t:file manage_file_perms;
 
@@ -201,7 +201,7 @@ optional_policy(`
 #
 
 allow dpkg_script_t self:capability { audit_write chown dac_override dac_read_search fowner fsetid ipc_lock kill mknod net_admin setfcap setgid setuid sys_chroot sys_nice sys_ptrace };
-allow dpkg_script_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
+allow dpkg_script_t self:process { dyntransition getattr getcap getpgid getrlimit getsched getsession noatsecure rlimitinh setcap setfscreate setkeycreate setpgid setsched setsockcreate share siginh signal_perms transition };
 allow dpkg_script_t self:fd use;
 allow dpkg_script_t self:fifo_file rw_fifo_file_perms;
 allow dpkg_script_t self:unix_dgram_socket create_socket_perms;
@@ -211,7 +211,7 @@ allow dpkg_script_t self:unix_stream_socket connectto;
 allow dpkg_script_t self:shm create_shm_perms;
 allow dpkg_script_t self:sem create_sem_perms;
 allow dpkg_script_t self:msgq create_msgq_perms;
-allow dpkg_script_t self:msg { send receive };
+allow dpkg_script_t self:msg { receive send };
 allow dpkg_script_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
 allow dpkg_script_t self:udp_socket create_socket_perms;
 

policy/modules/admin/firstboot.te

@@ -1,7 +1,7 @@
 policy_module(firstboot)
 
 gen_require(`
-	class passwd { passwd chfn chsh rootok };
+	class passwd { chfn chsh passwd rootok };
 ')
 
 ########################################
@@ -33,7 +33,7 @@ allow firstboot_t self:capability { dac_override setgid };
 allow firstboot_t self:process setfscreate;
 allow firstboot_t self:fifo_file rw_fifo_file_perms;
 allow firstboot_t self:tcp_socket { accept listen };
-allow firstboot_t self:passwd { rootok passwd chfn chsh };
+allow firstboot_t self:passwd { chfn chsh passwd rootok };
 
 allow firstboot_t firstboot_etc_t:file read_file_perms;
 

policy/modules/admin/logrotate.te

@@ -36,11 +36,11 @@ init_unit_file(logrotate_unit_t)
 #
 
 # sys_ptrace is for systemctl
-allow logrotate_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid sys_ptrace sys_nice sys_resource };
+allow logrotate_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid sys_nice sys_ptrace sys_resource };
 dontaudit logrotate_t self:cap_userns sys_ptrace;
 # systemctl asks for net_admin
 dontaudit logrotate_t self:capability net_admin;
-allow logrotate_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
+allow logrotate_t self:process { dyntransition getattr getcap getpgid getrlimit getsched getsession noatsecure rlimitinh setcap setfscreate setkeycreate setpgid setrlimit setsched setsockcreate share siginh signal_perms transition };
 allow logrotate_t self:fd use;
 allow logrotate_t self:key manage_key_perms;
 allow logrotate_t self:fifo_file rw_fifo_file_perms;
@@ -49,7 +49,7 @@ allow logrotate_t self:unix_stream_socket { accept connectto listen };
 allow logrotate_t self:shm create_shm_perms;
 allow logrotate_t self:sem create_sem_perms;
 allow logrotate_t self:msgq create_msgq_perms;
-allow logrotate_t self:msg { send receive };
+allow logrotate_t self:msg { receive send };
 
 allow logrotate_t logrotate_lock_t:file manage_file_perms;
 files_lock_filetrans(logrotate_t, logrotate_lock_t, file)

policy/modules/admin/logwatch.te

@@ -38,7 +38,7 @@ role system_r types logwatch_mail_t;
 #
 
 allow logwatch_t self:capability { dac_override dac_read_search setgid };
-allow logwatch_t self:process { signal getsched };
+allow logwatch_t self:process { getsched signal };
 allow logwatch_t self:fifo_file rw_fifo_file_perms;
 allow logwatch_t self:unix_stream_socket { accept listen };
 

policy/modules/admin/mcelog.te

@@ -112,7 +112,7 @@ tunable_policy(`mcelog_foreground',`
 ')
 
 tunable_policy(`mcelog_server',`
-	allow mcelog_t self:unix_stream_socket { listen accept };
+	allow mcelog_t self:unix_stream_socket { accept listen };
 ')
 
 tunable_policy(`mcelog_syslog',`

policy/modules/admin/netutils.te

@@ -112,8 +112,8 @@ allow ping_t self:capability { net_raw setuid };
 allow ping_t self:process { getcap setcap };
 dontaudit ping_t self:capability sys_tty_config;
 allow ping_t self:tcp_socket create_socket_perms;
-allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt getattr };
-allow ping_t self:packet_socket { create ioctl read write bind getopt setopt };
+allow ping_t self:rawip_socket { bind create getattr getopt ioctl read setopt write };
+allow ping_t self:packet_socket { bind create getopt ioctl read setopt write };
 allow ping_t self:netlink_route_socket create_netlink_socket_perms;
 allow ping_t self:icmp_socket create_socket_perms;
 
@@ -163,7 +163,7 @@ allow traceroute_t self:fifo_file rw_inherited_fifo_file_perms;
 allow traceroute_t self:process signal;
 allow traceroute_t self:netlink_generic_socket create_socket_perms;
 allow traceroute_t self:rawip_socket create_socket_perms;
-allow traceroute_t self:packet_socket { map create_socket_perms };
+allow traceroute_t self:packet_socket { create_socket_perms map };
 allow traceroute_t self:udp_socket create_socket_perms;
 
 can_exec(traceroute_t, traceroute_exec_t)

policy/modules/admin/portage.if

@@ -71,13 +71,13 @@ interface(`portage_compile_domain',`
 
 	allow $1 self:capability { chown dac_override fowner fsetid mknod net_raw setgid setuid };
 	dontaudit $1 self:capability sys_chroot;
-	allow $1 self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh setrlimit rlimitinh dyntransition execmem setkeycreate setsockcreate getrlimit };
+	allow $1 self:process { dyntransition execmem getattr getcap getpgid getrlimit getsched getsession noatsecure rlimitinh setcap setfscreate setkeycreate setpgid setrlimit setsched setsockcreate share siginh signal_perms transition };
 	allow $1 self:fd use;
 	allow $1 self:fifo_file rw_fifo_file_perms;
 	allow $1 self:shm create_shm_perms;
 	allow $1 self:sem create_sem_perms;
 	allow $1 self:msgq create_msgq_perms;
-	allow $1 self:msg { send receive };
+	allow $1 self:msg { receive send };
 	allow $1 self:unix_dgram_socket create_socket_perms;
 	allow $1 self:unix_stream_socket create_stream_socket_perms;
 	allow $1 self:unix_dgram_socket sendto;
@@ -96,7 +96,7 @@ interface(`portage_compile_domain',`
 
 	# write compile logs
 	allow $1 portage_log_t:dir setattr_dir_perms;
-	allow $1 portage_log_t:file { write_file_perms setattr_file_perms };
+	allow $1 portage_log_t:file { setattr_file_perms write_file_perms };
 
 	# Support live ebuilds (-9999)
 	manage_dirs_pattern($1, portage_srcrepo_t, portage_srcrepo_t)

policy/modules/admin/portage.te

@@ -353,7 +353,7 @@ dontaudit portage_sandbox_t self:netlink_route_socket create_netlink_socket_perm
 dontaudit portage_sandbox_t portage_cache_t:dir { setattr_dir_perms };
 dontaudit portage_sandbox_t portage_cache_t:file { setattr_file_perms write };
 
-allow portage_sandbox_t portage_log_t:file { create_file_perms delete_file_perms setattr_file_perms append_file_perms };
+allow portage_sandbox_t portage_log_t:file { append_file_perms create_file_perms delete_file_perms setattr_file_perms };
 logging_log_filetrans(portage_sandbox_t, portage_log_t, file)
 
 allow portage_sandbox_t portage_tmp_t:dir watch;

policy/modules/admin/prelink.te

@@ -53,10 +53,10 @@ append_files_pattern(prelink_t, prelink_log_t, prelink_log_t)
 read_lnk_files_pattern(prelink_t, prelink_log_t, prelink_log_t)
 logging_log_filetrans(prelink_t, prelink_log_t, file)
 
-allow prelink_t prelink_tmp_t:file { manage_file_perms mmap_exec_file_perms relabel_file_perms execmod };
+allow prelink_t prelink_tmp_t:file { execmod manage_file_perms mmap_exec_file_perms relabel_file_perms };
 files_tmp_filetrans(prelink_t, prelink_tmp_t, file)
 
-allow prelink_t prelink_tmpfs_t:file { manage_file_perms mmap_exec_file_perms relabel_file_perms execmod };
+allow prelink_t prelink_tmpfs_t:file { execmod manage_file_perms mmap_exec_file_perms relabel_file_perms };
 fs_tmpfs_filetrans(prelink_t, prelink_tmpfs_t, file)
 
 manage_dirs_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
@@ -156,7 +156,7 @@ optional_policy(`
 
 optional_policy(`
 	allow prelink_cron_system_t self:capability setuid;
-	allow prelink_cron_system_t self:process { setsched setfscreate signal };
+	allow prelink_cron_system_t self:process { setfscreate setsched signal };
 	allow prelink_cron_system_t self:fifo_file rw_fifo_file_perms;
 	allow prelink_cron_system_t self:unix_dgram_socket create_socket_perms;
 

policy/modules/admin/puppet.te

@@ -63,7 +63,7 @@ files_tmp_file(puppetmaster_tmp_t)
 #
 
 allow puppet_t self:capability { chown dac_override fowner fsetid setgid setuid sys_admin sys_nice sys_tty_config };
-allow puppet_t self:process { signal signull getsched setsched };
+allow puppet_t self:process { getsched setsched signal signull };
 allow puppet_t self:fifo_file rw_fifo_file_perms;
 allow puppet_t self:netlink_route_socket create_netlink_socket_perms;
 allow puppet_t self:tcp_socket { accept listen };
@@ -257,7 +257,7 @@ optional_policy(`
 #
 
 allow puppetmaster_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid sys_tty_config };
-allow puppetmaster_t self:process { signal_perms getsched setsched };
+allow puppetmaster_t self:process { getsched setsched signal_perms };
 allow puppetmaster_t self:fifo_file rw_fifo_file_perms;
 allow puppetmaster_t self:netlink_route_socket nlmsg_write;
 allow puppetmaster_t self:socket create;
@@ -277,7 +277,7 @@ logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir })
 allow puppetmaster_t puppet_var_lib_t:dir { manage_dir_perms relabel_dir_perms };
 allow puppetmaster_t puppet_var_lib_t:file { manage_file_perms relabel_file_perms };
 
-allow puppetmaster_t puppet_runtime_t:dir { create_dir_perms setattr_dir_perms relabel_dir_perms };
+allow puppetmaster_t puppet_runtime_t:dir { create_dir_perms relabel_dir_perms setattr_dir_perms };
 allow puppetmaster_t puppet_runtime_t:file manage_file_perms;
 files_runtime_filetrans(puppetmaster_t, puppet_runtime_t, { file dir })
 

policy/modules/admin/quota.te

@@ -33,7 +33,7 @@ files_runtime_file(quota_nld_runtime_t)
 # Local policy
 #
 
-allow quota_t self:capability { dac_override sys_admin linux_immutable };
+allow quota_t self:capability { dac_override linux_immutable sys_admin};
 dontaudit quota_t self:capability sys_tty_config;
 allow quota_t self:process signal_perms;
 

policy/modules/admin/rpm.te

@@ -82,8 +82,8 @@ files_tmpfs_file(rpm_script_tmpfs_t)
 # rpm Local policy
 #
 
-allow rpm_t self:capability { chown dac_read_search dac_override fowner fsetid ipc_lock mknod setfcap setgid setuid sys_chroot sys_nice sys_tty_config };
-allow rpm_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh dyntransition execmem setkeycreate setsockcreate getrlimit };
+allow rpm_t self:capability { chown dac_override dac_read_search fowner fsetid ipc_lock mknod setfcap setgid setuid sys_chroot sys_nice sys_tty_config };
+allow rpm_t self:process { dyntransition execmem getattr getcap getpgid getrlimit getsched getsession noatsecure rlimitinh setcap setexec setfscreate setkeycreate setpgid setrlimit setsched setsockcreate share siginh signal_perms transition };
 allow rpm_t self:fd use;
 allow rpm_t self:fifo_file rw_fifo_file_perms;
 allow rpm_t self:unix_dgram_socket sendto;
@@ -93,7 +93,7 @@ allow rpm_t self:tcp_socket { accept listen };
 allow rpm_t self:shm create_shm_perms;
 allow rpm_t self:sem create_sem_perms;
 allow rpm_t self:msgq create_msgq_perms;
-allow rpm_t self:msg { send receive };
+allow rpm_t self:msg { receive send };
 allow rpm_t self:file rw_file_perms;
 allow rpm_t self:netlink_kobject_uevent_socket create_socket_perms;
 
@@ -258,15 +258,15 @@ optional_policy(`
 #
 
 allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid ipc_lock kill mknod net_admin setgid setuid sys_admin sys_chroot sys_nice sys_rawio };
-allow rpm_script_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition execmem execstack setkeycreate setsockcreate getrlimit };
+allow rpm_script_t self:process { dyntransition execmem execstack getattr getcap getpgid getrlimit getsched getsession noatsecure rlimitinh setcap setkeycreate setpgid setsched setsockcreate share siginh signal_perms transition };
 allow rpm_script_t self:fd use;
 allow rpm_script_t self:fifo_file rw_fifo_file_perms;
 allow rpm_script_t self:unix_dgram_socket sendto;
 allow rpm_script_t self:unix_stream_socket { accept connectto listen };
 allow rpm_script_t self:shm create_shm_perms;
 allow rpm_script_t self:sem create_sem_perms;
 allow rpm_script_t self:msgq create_msgq_perms;
-allow rpm_script_t self:msg { send receive };
+allow rpm_script_t self:msg { receive send };
 allow rpm_script_t self:netlink_kobject_uevent_socket create_socket_perms;
 
 allow rpm_script_t rpm_t:netlink_route_socket { read write };

policy/modules/admin/samhain.te

@@ -46,7 +46,7 @@ ifdef(`enable_mls',`
 
 allow samhain_domain self:capability { dac_override dac_read_search fowner ipc_lock };
 dontaudit samhain_domain self:capability { sys_ptrace sys_resource };
-allow samhain_domain self:process { setsched setrlimit signull };
+allow samhain_domain self:process { setrlimit setsched signull };
 allow samhain_domain self:fd use;
 allow samhain_domain self:fifo_file rw_fifo_file_perms;
 

policy/modules/admin/sosreport.te

@@ -33,7 +33,7 @@ optional_policy(`
 
 allow sosreport_t self:capability { dac_override kill net_admin net_raw setuid sys_admin sys_nice };
 dontaudit sosreport_t self:capability sys_ptrace;
-allow sosreport_t self:process { setsched setpgid signal_perms };
+allow sosreport_t self:process { setpgid setsched signal_perms };
 allow sosreport_t self:fifo_file rw_fifo_file_perms;
 allow sosreport_t self:tcp_socket { accept listen };
 allow sosreport_t self:unix_stream_socket { accept listen };