commit: b8090bfeb7461011bfbbfc43d47caab6fc863d3d
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Feb 15 23:47:33 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Feb 17 08:13:38 2017 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b8090bfe
Sort capabilities permissions from Russell Coker.
policy/modules/admin/bootloader.te | 2 +-
policy/modules/admin/netutils.te | 6 +++---
policy/modules/admin/su.if | 4 ++--
policy/modules/admin/sudo.if | 2 +-
policy/modules/admin/usermanage.te | 10 +++++-----
policy/modules/apps/seunshare.te | 2 +-
policy/modules/kernel/files.if | 2 +-
policy/modules/roles/auditadm.te | 2 +-
policy/modules/roles/logadm.te | 2 +-
policy/modules/roles/secadm.te | 2 +-
policy/modules/services/postgresql.te | 4 ++--
policy/modules/services/ssh.if | 4 ++--
policy/modules/services/ssh.te | 2 +-
policy/modules/services/xserver.te | 4 ++--
policy/modules/system/fstools.te | 2 +-
policy/modules/system/getty.te | 2 +-
policy/modules/system/hotplug.te | 4 ++--
policy/modules/system/ipsec.te | 4 ++--
policy/modules/system/iptables.te | 2 +-
policy/modules/system/locallogin.te | 2 +-
policy/modules/system/logging.if | 2 +-
policy/modules/system/logging.te | 10 +++++-----
policy/modules/system/lvm.te | 4 ++--
policy/modules/system/mount.te | 2 +-
policy/modules/system/selinuxutil.te | 4 ++--
policy/modules/system/sysnetwork.te | 6 +++---
policy/modules/system/systemd.te | 4 ++--
policy/modules/system/udev.te | 2 +-
policy/modules/system/userdomain.if | 8 ++++----
29 files changed, 53 insertions(+), 53 deletions(-)
diff --git a/policy/modules/admin/bootloader.te
b/policy/modules/admin/bootloader.te
index 8ed70327..8b7c18cd 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -41,7 +41,7 @@ dev_node(bootloader_tmp_t)
# bootloader local policy
#
-allow bootloader_t self:capability { dac_override dac_read_search fsetid
sys_rawio sys_admin mknod chown };
+allow bootloader_t self:capability { chown dac_override dac_read_search fsetid
mknod sys_admin sys_rawio };
allow bootloader_t self:process { signal_perms execmem };
allow bootloader_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index 9eabff3a..744a2aa3 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -33,7 +33,7 @@ init_system_domain(traceroute_t, traceroute_exec_t)
#
# Perform network administration operations and have raw access to the network.
-allow netutils_t self:capability { dac_read_search net_admin net_raw setuid
setgid sys_chroot };
+allow netutils_t self:capability { dac_read_search net_admin net_raw setgid
setuid sys_chroot };
dontaudit netutils_t self:capability { dac_override sys_tty_config };
allow netutils_t self:process { setcap signal_perms };
allow netutils_t self:netlink_route_socket create_netlink_socket_perms;
@@ -107,7 +107,7 @@ optional_policy(`
# Ping local policy
#
-allow ping_t self:capability { setuid net_raw };
+allow ping_t self:capability { net_raw setuid };
# When ping is installed with capabilities instead of setuid
allow ping_t self:process { getcap setcap };
dontaudit ping_t self:capability sys_tty_config;
@@ -168,7 +168,7 @@ optional_policy(`
# Traceroute local policy
#
-allow traceroute_t self:capability { net_admin net_raw setuid setgid };
+allow traceroute_t self:capability { net_admin net_raw setgid setuid };
allow traceroute_t self:rawip_socket create_socket_perms;
allow traceroute_t self:packet_socket create_socket_perms;
allow traceroute_t self:udp_socket create_socket_perms;
diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
index 02aabd81..4a434b84 100644
--- a/policy/modules/admin/su.if
+++ b/policy/modules/admin/su.if
@@ -41,7 +41,7 @@ template(`su_restricted_domain_template', `
allow $2 $1_su_t:process signal;
- allow $1_su_t self:capability { audit_control audit_write setuid setgid
net_bind_service chown dac_override fowner sys_nice sys_resource };
+ allow $1_su_t self:capability { audit_control audit_write chown
dac_override fowner net_bind_service setgid setuid sys_nice sys_resource };
dontaudit $1_su_t self:capability sys_tty_config;
allow $1_su_t self:key { search write };
allow $1_su_t self:process { setexec setsched setrlimit };
@@ -160,7 +160,7 @@ template(`su_role_template',`
allow $3 $1_su_t:process signal;
- allow $1_su_t self:capability { audit_control audit_write setuid setgid
net_bind_service chown dac_override fowner sys_nice sys_resource };
+ allow $1_su_t self:capability { audit_control audit_write chown
dac_override fowner net_bind_service setgid setuid sys_nice sys_resource };
dontaudit $1_su_t self:capability sys_tty_config;
allow $1_su_t self:process { setexec setsched setrlimit };
allow $1_su_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index e65690dc..b8fb9dfc 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -52,7 +52,7 @@ template(`sudo_role_template',`
#
# Use capabilities.
- allow $1_sudo_t self:capability { chown fowner setuid setgid
dac_override sys_nice sys_resource };
+ allow $1_sudo_t self:capability { chown dac_override fowner setgid
setuid sys_nice sys_resource };
allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate
setrlimit execmem execstack execheap };
allow $1_sudo_t self:process { setexec setrlimit };
allow $1_sudo_t self:fd use;
diff --git a/policy/modules/admin/usermanage.te
b/policy/modules/admin/usermanage.te
index ab0ba0af..b3909030 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -69,7 +69,7 @@ role useradd_roles types useradd_t;
# Chfn local policy
#
-allow chfn_t self:capability { chown dac_override fsetid setuid setgid
sys_resource };
+allow chfn_t self:capability { chown dac_override fsetid setgid setuid
sys_resource };
allow chfn_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit
execmem execheap execstack };
allow chfn_t self:process { setrlimit setfscreate };
allow chfn_t self:fd use;
@@ -189,7 +189,7 @@ optional_policy(`
# Groupadd local policy
#
-allow groupadd_t self:capability { dac_override chown kill setuid sys_resource
audit_write };
+allow groupadd_t self:capability { audit_write chown dac_override kill setuid
sys_resource };
dontaudit groupadd_t self:capability { fsetid sys_tty_config };
allow groupadd_t self:process ~{ ptrace setcurrent setexec setfscreate
setrlimit execmem execheap execstack };
allow groupadd_t self:process { setrlimit setfscreate };
@@ -276,7 +276,7 @@ optional_policy(`
# Passwd local policy
#
-allow passwd_t self:capability { chown dac_override fsetid setuid setgid
sys_nice sys_resource };
+allow passwd_t self:capability { chown dac_override fsetid setgid setuid
sys_nice sys_resource };
dontaudit passwd_t self:capability sys_tty_config;
allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit
execmem execstack execheap };
allow passwd_t self:process { setrlimit setfscreate };
@@ -365,7 +365,7 @@ optional_policy(`
# Password admin local policy
#
-allow sysadm_passwd_t self:capability { chown dac_override fsetid setuid
setgid sys_resource };
+allow sysadm_passwd_t self:capability { chown dac_override fsetid setgid
setuid sys_resource };
allow sysadm_passwd_t self:process ~{ ptrace setcurrent setexec setfscreate
setrlimit execmem execstack execheap };
allow sysadm_passwd_t self:process { setrlimit setfscreate };
allow sysadm_passwd_t self:fd use;
@@ -449,7 +449,7 @@ optional_policy(`
# Useradd local policy
#
-allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid
sys_resource };
+allow useradd_t self:capability { chown dac_override fowner fsetid kill setuid
sys_resource };
dontaudit useradd_t self:capability sys_tty_config;
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate
setrlimit execmem execstack execheap };
allow useradd_t self:process setfscreate;
diff --git a/policy/modules/apps/seunshare.te b/policy/modules/apps/seunshare.te
index 75901658..dba409bd 100644
--- a/policy/modules/apps/seunshare.te
+++ b/policy/modules/apps/seunshare.te
@@ -15,7 +15,7 @@ role system_r types seunshare_t;
# seunshare local policy
#
-allow seunshare_t self:capability { setuid dac_override setpcap sys_admin };
+allow seunshare_t self:capability { dac_override setpcap setuid sys_admin };
allow seunshare_t self:process { setexec signal getcap setcap };
allow seunshare_t self:fifo_file rw_file_perms;
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index f82c792b..6babfb90 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -6849,7 +6849,7 @@ interface(`files_polyinstantiate_all',`
selinux_compute_member($1)
# Need sys_admin capability for mounting
- allow $1 self:capability { chown fsetid sys_admin fowner };
+ allow $1 self:capability { chown fowner fsetid sys_admin };
# Need to give access to the directories to be polyinstantiated
allow $1 polydir:dir { create open getattr search write add_name
setattr mounton rmdir };
diff --git a/policy/modules/roles/auditadm.te b/policy/modules/roles/auditadm.te
index 0f02e914..bbc3527e 100644
--- a/policy/modules/roles/auditadm.te
+++ b/policy/modules/roles/auditadm.te
@@ -13,7 +13,7 @@ userdom_unpriv_user_template(auditadm)
# Local policy
#
-allow auditadm_t self:capability { dac_read_search dac_override };
+allow auditadm_t self:capability { dac_override dac_read_search };
kernel_read_ring_buffer(auditadm_t)
diff --git a/policy/modules/roles/logadm.te b/policy/modules/roles/logadm.te
index 3a45a3ef..b524c0b5 100644
--- a/policy/modules/roles/logadm.te
+++ b/policy/modules/roles/logadm.te
@@ -14,6 +14,6 @@ userdom_base_user_template(logadm)
# logadmin local policy
#
-allow logadm_t self:capability { dac_override dac_read_search kill sys_ptrace
sys_nice };
+allow logadm_t self:capability { dac_override dac_read_search kill sys_nice
sys_ptrace };
logging_admin(logadm_t, logadm_r)
diff --git a/policy/modules/roles/secadm.te b/policy/modules/roles/secadm.te
index 3d458944..763b71e1 100644
--- a/policy/modules/roles/secadm.te
+++ b/policy/modules/roles/secadm.te
@@ -15,7 +15,7 @@ userdom_security_admin_template(secadm_t, secadm_r)
# Local policy
#
-allow secadm_t self:capability { dac_read_search dac_override };
+allow secadm_t self:capability { dac_override dac_read_search };
corecmd_exec_shell(secadm_t)
diff --git a/policy/modules/services/postgresql.te
b/policy/modules/services/postgresql.te
index 5b2508da..e21ce738 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -227,8 +227,8 @@ postgresql_view_object(user_sepgsql_view_t)
#
# postgresql Local policy
#
-allow postgresql_t self:capability { kill dac_override dac_read_search chown
fowner fsetid setuid setgid sys_nice sys_tty_config sys_admin };
-dontaudit postgresql_t self:capability { sys_tty_config sys_admin };
+allow postgresql_t self:capability { chown dac_override dac_read_search fowner
fsetid kill setgid setuid sys_admin sys_nice sys_tty_config };
+dontaudit postgresql_t self:capability { sys_admin sys_tty_config };
allow postgresql_t self:process signal_perms;
allow postgresql_t self:fifo_file rw_fifo_file_perms;
allow postgresql_t self:file { getattr read };
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index 3fda8872..486339f0 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -56,7 +56,7 @@ template(`ssh_basic_client_template',`
# Client local policy
#
- allow $1_ssh_t self:capability { setuid setgid dac_override
dac_read_search };
+ allow $1_ssh_t self:capability { dac_override dac_read_search setgid
setuid };
allow $1_ssh_t self:process ~{ ptrace setcurrent setexec setfscreate
setrlimit execmem execstack execheap };
allow $1_ssh_t self:fd use;
allow $1_ssh_t self:fifo_file rw_fifo_file_perms;
@@ -181,7 +181,7 @@ template(`ssh_server_template', `
type $1_var_run_t;
files_pid_file($1_var_run_t)
- allow $1_t self:capability { kill sys_chroot sys_nice sys_resource
chown dac_override fowner fsetid setgid setuid sys_tty_config };
+ allow $1_t self:capability { chown dac_override fowner fsetid kill
setgid setuid sys_chroot sys_nice sys_resource sys_tty_config };
allow $1_t self:fifo_file rw_fifo_file_perms;
allow $1_t self:process { signal getsched setsched setrlimit setexec
setkeycreate };
allow $1_t self:tcp_socket create_stream_socket_perms;
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 78b8b909..8c0b009f 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -99,7 +99,7 @@ ifdef(`distro_debian',`
# SSH client local policy
#
-allow ssh_t self:capability { setuid setgid dac_override dac_read_search };
+allow ssh_t self:capability { dac_override dac_read_search setgid setuid };
allow ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit
execmem execstack execheap };
allow ssh_t self:fd use;
allow ssh_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/services/xserver.te
b/policy/modules/services/xserver.te
index 9c1a0276..68014747 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -314,7 +314,7 @@ optional_policy(`
# XDM Local policy
#
-allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config
mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice
sys_rawio net_bind_service };
+allow xdm_t self:capability { chown dac_override dac_read_search fowner fsetid
ipc_owner kill mknod net_bind_service setgid setuid sys_nice sys_rawio
sys_resource sys_tty_config };
dontaudit xdm_t self:capability sys_admin;
allow xdm_t self:process { setexec setpgid getsched setsched setrlimit
signal_perms };
allow xdm_t self:fifo_file rw_fifo_file_perms;
@@ -637,7 +637,7 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
-allow xserver_t self:capability { dac_override fowner fsetid setgid setuid
ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
+allow xserver_t self:capability { dac_override fowner fsetid ipc_owner mknod
net_bind_service setgid setuid sys_admin sys_nice sys_rawio sys_tty_config };
dontaudit xserver_t self:capability chown;
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate
setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index 16bd0676..9d729671 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -28,7 +28,7 @@ files_type(swapfile_t)
#
# ipc_lock is for losetup
-allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_resource
sys_tty_config dac_override dac_read_search };
+allow fsadm_t self:capability { dac_override dac_read_search ipc_lock
sys_admin sys_rawio sys_resource sys_tty_config };
allow fsadm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit
execmem execmem execheap };
allow fsadm_t self:fd use;
allow fsadm_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
index af898997..69c2274d 100644
--- a/policy/modules/system/getty.te
+++ b/policy/modules/system/getty.te
@@ -33,7 +33,7 @@ files_pid_file(getty_var_run_t)
#
# Use capabilities.
-allow getty_t self:capability { dac_override chown setgid sys_admin
sys_resource sys_tty_config fowner fsetid };
+allow getty_t self:capability { chown dac_override fowner fsetid setgid
sys_admin sys_resource sys_tty_config };
dontaudit getty_t self:capability sys_tty_config;
allow getty_t self:process { getpgid setpgid getsession signal_perms };
allow getty_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/system/hotplug.te b/policy/modules/system/hotplug.te
index 4572650b..8c7e5ff5 100644
--- a/policy/modules/system/hotplug.te
+++ b/policy/modules/system/hotplug.te
@@ -22,8 +22,8 @@ files_pid_file(hotplug_var_run_t)
# Local policy
#
-allow hotplug_t self:capability { net_admin sys_tty_config mknod sys_rawio };
-dontaudit hotplug_t self:capability { sys_module sys_admin sys_ptrace
sys_tty_config };
+allow hotplug_t self:capability { mknod net_admin sys_rawio sys_tty_config };
+dontaudit hotplug_t self:capability { sys_admin sys_module sys_ptrace
sys_tty_config };
# for access("/etc/bashrc", X_OK) on Red Hat
dontaudit hotplug_t self:capability { dac_override dac_read_search };
allow hotplug_t self:process { setpgid getsession getattr signal_perms };
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index 68018111..72dd736b 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -80,7 +80,7 @@ role system_r types setkey_t;
# ipsec Local policy
#
-allow ipsec_t self:capability { chown dac_override dac_read_search setgid
setuid setpcap net_admin sys_nice };
+allow ipsec_t self:capability { chown dac_override dac_read_search net_admin
setgid setpcap setuid sys_nice };
dontaudit ipsec_t self:capability { sys_ptrace sys_tty_config };
allow ipsec_t self:process { getcap setcap getsched signal setsched };
allow ipsec_t self:tcp_socket create_stream_socket_perms;
@@ -460,7 +460,7 @@ userdom_use_user_terminals(setkey_t)
# ipsec_supervisor policy
#
-allow ipsec_supervisor_t self:capability { dac_read_search dac_override kill
net_admin };
+allow ipsec_supervisor_t self:capability { dac_override dac_read_search kill
net_admin };
allow ipsec_supervisor_t self:process { signal };
allow ipsec_supervisor_t self:fifo_file rw_fifo_file_perms;
allow ipsec_supervisor_t self:netlink_route_socket rw_netlink_socket_perms;
diff --git a/policy/modules/system/iptables.te
b/policy/modules/system/iptables.te
index e062e44c..0380f55b 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -33,7 +33,7 @@ files_pid_file(iptables_var_run_t)
# Iptables local policy
#
-allow iptables_t self:capability { dac_read_search dac_override net_admin
net_raw };
+allow iptables_t self:capability { dac_override dac_read_search net_admin
net_raw };
dontaudit iptables_t self:capability sys_tty_config;
allow iptables_t self:fifo_file rw_fifo_file_perms;
allow iptables_t self:process { sigchld sigkill sigstop signull signal };
diff --git a/policy/modules/system/locallogin.te
b/policy/modules/system/locallogin.te
index 8748ca83..174ba9f4 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -32,7 +32,7 @@ role system_r types sulogin_t;
# Local login local policy
#
-allow local_login_t self:capability { dac_override chown fowner fsetid kill
setgid setuid sys_nice sys_resource sys_tty_config };
+allow local_login_t self:capability { chown dac_override fowner fsetid kill
setgid setuid sys_nice sys_resource sys_tty_config };
allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate
setrlimit execmem execstack execheap };
allow local_login_t self:process { setrlimit setexec };
allow local_login_t self:fd use;
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index f7d3d698..ba463497 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -119,7 +119,7 @@ interface(`logging_set_tty_audit',`
## </param>
#
interface(`logging_set_audit_parameters',`
- allow $1 self:capability { audit_write audit_control };
+ allow $1 self:capability { audit_control audit_write };
allow $1 self:netlink_audit_socket { create_netlink_socket_perms
nlmsg_relay };
')
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 9232f267..94be02e5 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -99,7 +99,7 @@ ifdef(`enable_mls',`
# Auditctl local policy
#
-allow auditctl_t self:capability { fsetid dac_read_search dac_override };
+allow auditctl_t self:capability { dac_override dac_read_search fsetid };
allow auditctl_t self:process getcap;
allow auditctl_t self:netlink_audit_socket nlmsg_readpriv;
@@ -275,7 +275,7 @@ optional_policy(`
# Audit remote logger local policy
#
-allow audisp_remote_t self:capability { setuid setpcap };
+allow audisp_remote_t self:capability { setpcap setuid };
allow audisp_remote_t self:process { getcap setcap };
allow audisp_remote_t self:tcp_socket create_socket_perms;
allow audisp_remote_t var_log_t:dir search_dir_perms;
@@ -373,8 +373,8 @@ optional_policy(`
# sys_admin for the integrated klog of syslog-ng and metalog
# sys_nice for rsyslog
# cjp: why net_admin!
-allow syslogd_t self:capability { dac_override sys_resource sys_tty_config
net_admin sys_admin sys_nice chown fsetid };
-dontaudit syslogd_t self:capability { sys_tty_config sys_ptrace };
+allow syslogd_t self:capability { chown dac_override fsetid net_admin
sys_admin sys_nice sys_resource sys_tty_config };
+dontaudit syslogd_t self:capability { sys_ptrace sys_tty_config };
# setpgid for metalog
# setrlimit for syslog-ng
# getsched for syslog-ng
@@ -503,7 +503,7 @@ userdom_dontaudit_search_user_home_dirs(syslogd_t)
ifdef(`init_systemd',`
# systemd-journald permissions
- allow syslogd_t self:capability { chown setuid setgid };
+ allow syslogd_t self:capability { chown setgid setuid };
allow syslogd_t self:netlink_audit_socket { getattr getopt read setopt
write };
kernel_use_fds(syslogd_t)
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index 3dc2dcac..e04fb18a 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -50,7 +50,7 @@ files_tmp_file(lvm_tmp_t)
# Cluster LVM daemon local policy
#
-allow clvmd_t self:capability { sys_nice chown ipc_lock sys_admin mknod };
+allow clvmd_t self:capability { chown ipc_lock mknod sys_admin sys_nice };
dontaudit clvmd_t self:capability sys_tty_config;
allow clvmd_t self:process { signal_perms setsched };
dontaudit clvmd_t self:process ptrace;
@@ -169,7 +169,7 @@ optional_policy(`
# DAC overrides and mknod for modifying /dev entries (vgmknodes)
# rawio needed for dmraid
# net_admin for multipath
-allow lvm_t self:capability { dac_override fowner ipc_lock sys_admin sys_nice
mknod chown sys_resource sys_rawio net_admin };
+allow lvm_t self:capability { chown dac_override fowner ipc_lock mknod
net_admin sys_admin sys_nice sys_rawio sys_resource };
dontaudit lvm_t self:capability sys_tty_config;
allow lvm_t self:process { sigchld sigkill sigstop signull signal setfscreate
};
# LVM will complain a lot if it cannot set its priority.
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index fc25ee03..c3fbad5d 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -42,7 +42,7 @@ application_domain(unconfined_mount_t, mount_exec_t)
#
# setuid/setgid needed to mount cifs
-allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override
chown sys_tty_config setuid setgid };
+allow mount_t self:capability { chown dac_override ipc_lock setgid setuid
sys_admin sys_rawio sys_tty_config };
allow mount_t self:process signal;
# zfs list uses pipes
allow mount_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/system/selinuxutil.te
b/policy/modules/system/selinuxutil.te
index ed153758..cda88f5a 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -220,7 +220,7 @@ optional_policy(`
# Newrole local policy
#
-allow newrole_t self:capability { fowner setuid setgid dac_override };
+allow newrole_t self:capability { dac_override fowner setgid setuid };
allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate
setrlimit execmem execheap execstack };
allow newrole_t self:process setexec;
allow newrole_t self:fd use;
@@ -444,7 +444,7 @@ optional_policy(`
# semodule local policy
#
-allow semanage_t self:capability { dac_override audit_write };
+allow semanage_t self:capability { audit_write dac_override };
allow semanage_t self:unix_stream_socket create_stream_socket_perms;
allow semanage_t self:unix_dgram_socket create_socket_perms;
allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms
nlmsg_relay };
diff --git a/policy/modules/system/sysnetwork.te
b/policy/modules/system/sysnetwork.te
index 83112b03..9518a23d 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -47,8 +47,8 @@ ifdef(`distro_debian',`
#
# DHCP client local policy
#
-allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw
net_bind_service setpcap sys_nice sys_resource sys_tty_config };
-dontaudit dhcpc_t self:capability { sys_tty_config sys_ptrace sys_admin };
+allow dhcpc_t self:capability { dac_override fsetid net_admin net_bind_service
net_raw setpcap sys_nice sys_resource sys_tty_config };
+dontaudit dhcpc_t self:capability { sys_admin sys_ptrace sys_tty_config };
# for access("/etc/bashrc", X_OK) on Red Hat
dontaudit dhcpc_t self:capability { dac_read_search sys_module };
allow dhcpc_t self:process { getsched getcap setcap setfscreate ptrace
signal_perms };
@@ -270,7 +270,7 @@ optional_policy(`
# Ifconfig local policy
#
-allow ifconfig_t self:capability { net_raw net_admin sys_admin sys_tty_config
};
+allow ifconfig_t self:capability { net_admin net_raw sys_admin sys_tty_config
};
dontaudit ifconfig_t self:capability sys_module;
allow ifconfig_t self:process ~{ ptrace setcurrent setexec setfscreate
setrlimit execmem execheap execstack };
allow ifconfig_t self:fd use;
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index d16a3804..4bd7f9b3 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -230,7 +230,7 @@ optional_policy(`
# Logind local policy
#
-allow systemd_logind_t self:capability { fowner sys_tty_config chown
dac_override };
+allow systemd_logind_t self:capability { chown dac_override fowner
sys_tty_config };
allow systemd_logind_t self:process getcap;
allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms;
allow systemd_logind_t self:unix_dgram_socket create_socket_perms;
@@ -336,7 +336,7 @@ systemd_log_parse_environment(systemd_sessions_t)
# Tmpfiles local policy
#
-allow systemd_tmpfiles_t self:capability { fowner chown fsetid dac_override
mknod };
+allow systemd_tmpfiles_t self:capability { chown dac_override fowner fsetid
mknod };
allow systemd_tmpfiles_t self:process { setfscreate getcap };
kernel_read_kernel_sysctls(systemd_tmpfiles_t)
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index d42ac73d..e0405fb1 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -38,7 +38,7 @@ ifdef(`enable_mcs',`
# Local policy
#
-allow udev_t self:capability { chown dac_override dac_read_search fowner
fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid
setgid sys_nice sys_ptrace };
+allow udev_t self:capability { chown dac_override dac_read_search fowner
fsetid mknod net_admin net_raw setgid setuid sys_admin sys_nice sys_nice
sys_ptrace sys_rawio sys_resource };
dontaudit udev_t self:capability sys_tty_config;
allow udev_t self:capability2 block_suspend;
allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem
execstack execheap };
diff --git a/policy/modules/system/userdomain.if
b/policy/modules/system/userdomain.if
index 5c304f59..334759e8 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -848,8 +848,8 @@ template(`userdom_login_user_template', `
# User domain Local policy
#
- allow $1_t self:capability { setgid chown fowner };
- dontaudit $1_t self:capability { sys_nice fsetid };
+ allow $1_t self:capability { chown fowner setgid };
+ dontaudit $1_t self:capability { fsetid sys_nice };
allow $1_t self:process ~{ setcurrent setexec setrlimit execmem
execstack execheap };
dontaudit $1_t self:process setrlimit;
@@ -1193,7 +1193,7 @@ template(`userdom_admin_user_template',`
# $1_t local policy
#
- allow $1_t self:capability ~{ sys_module audit_control audit_write };
+ allow $1_t self:capability ~{ audit_control audit_write sys_module };
allow $1_t self:process { setexec setfscreate };
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
allow $1_t self:tun_socket create;
@@ -1336,7 +1336,7 @@ template(`userdom_admin_user_template',`
## </param>
#
template(`userdom_security_admin_template',`
- allow $1 self:capability { dac_read_search dac_override };
+ allow $1 self:capability { dac_override dac_read_search };
corecmd_exec_shell($1)
