Sort capabilities permissions from Russell Coker.

author: Chris PeBenito <pebenito@ieee.org> 2017-02-15 18:47:33 -0500
committer: Jason Zaman <jason@perfinion.com> 2017-02-17 16:13:38 +0800
commit: b8090bfeb7461011bfbbfc43d47caab6fc863d3d (patch)
tree: 6506d53221c4d5a0ca619d4cacbf4c861acccd84 /policy/modules
parent: inherited file and fifo perms (diff)
download: hardened-refpolicy-b8090bfeb7461011bfbbfc43d47caab6fc863d3d.tar.gz
hardened-refpolicy-b8090bfeb7461011bfbbfc43d47caab6fc863d3d.tar.bz2
hardened-refpolicy-b8090bfeb7461011bfbbfc43d47caab6fc863d3d.zip
29 files changed, 53 insertions, 53 deletions
diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
index 8ed70327..8b7c18cd 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -41,7 +41,7 @@ dev_node(bootloader_tmp_t)
 # bootloader local policy
 #
 
-allow bootloader_t self:capability { dac_override dac_read_search fsetid sys_rawio sys_admin mknod chown };
+allow bootloader_t self:capability { chown dac_override dac_read_search fsetid mknod sys_admin sys_rawio };
 allow bootloader_t self:process { signal_perms execmem };
 allow bootloader_t self:fifo_file rw_fifo_file_perms;
 
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index 9eabff3a..744a2aa3 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -33,7 +33,7 @@ init_system_domain(traceroute_t, traceroute_exec_t)
 #
 
 # Perform network administration operations and have raw access to the network.
-allow netutils_t self:capability { dac_read_search net_admin net_raw setuid setgid sys_chroot };
+allow netutils_t self:capability { dac_read_search net_admin net_raw setgid setuid sys_chroot };
 dontaudit netutils_t self:capability { dac_override sys_tty_config };
 allow netutils_t self:process { setcap signal_perms };
 allow netutils_t self:netlink_route_socket create_netlink_socket_perms;
@@ -107,7 +107,7 @@ optional_policy(`
 # Ping local policy
 #
 
-allow ping_t self:capability { setuid net_raw };
+allow ping_t self:capability { net_raw setuid };
 # When ping is installed with capabilities instead of setuid
 allow ping_t self:process { getcap setcap };
 dontaudit ping_t self:capability sys_tty_config;
@@ -168,7 +168,7 @@ optional_policy(`
 # Traceroute local policy
 #
 
-allow traceroute_t self:capability { net_admin net_raw setuid setgid };
+allow traceroute_t self:capability { net_admin net_raw setgid setuid };
 allow traceroute_t self:rawip_socket create_socket_perms;
 allow traceroute_t self:packet_socket create_socket_perms;
 allow traceroute_t self:udp_socket create_socket_perms;
diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
index 02aabd81..4a434b84 100644
--- a/policy/modules/admin/su.if
+++ b/policy/modules/admin/su.if
@@ -41,7 +41,7 @@ template(`su_restricted_domain_template', `
 
 	allow $2 $1_su_t:process signal;
 
-	allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
+	allow $1_su_t self:capability { audit_control audit_write chown dac_override fowner net_bind_service setgid setuid sys_nice sys_resource };
 	dontaudit $1_su_t self:capability sys_tty_config;
 	allow $1_su_t self:key { search write };
 	allow $1_su_t self:process { setexec setsched setrlimit };
@@ -160,7 +160,7 @@ template(`su_role_template',`
 
 	allow $3 $1_su_t:process signal;
 
-	allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
+	allow $1_su_t self:capability { audit_control audit_write chown dac_override fowner net_bind_service setgid setuid sys_nice sys_resource };
 	dontaudit $1_su_t self:capability sys_tty_config;
 	allow $1_su_t self:process { setexec setsched setrlimit };
 	allow $1_su_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index e65690dc..b8fb9dfc 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -52,7 +52,7 @@ template(`sudo_role_template',`
 	#
 
 	# Use capabilities.
-	allow $1_sudo_t self:capability { chown fowner setuid setgid dac_override sys_nice sys_resource };
+	allow $1_sudo_t self:capability { chown dac_override fowner setgid setuid sys_nice sys_resource };
 	allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 	allow $1_sudo_t self:process { setexec setrlimit };
 	allow $1_sudo_t self:fd use;
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index ab0ba0af..b3909030 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -69,7 +69,7 @@ role useradd_roles types useradd_t;
 # Chfn local policy
 #
 
-allow chfn_t self:capability { chown dac_override fsetid setuid setgid sys_resource };
+allow chfn_t self:capability { chown dac_override fsetid setgid setuid sys_resource };
 allow chfn_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
 allow chfn_t self:process { setrlimit setfscreate };
 allow chfn_t self:fd use;
@@ -189,7 +189,7 @@ optional_policy(`
 # Groupadd local policy
 #
 
-allow groupadd_t self:capability { dac_override chown kill setuid sys_resource audit_write };
+allow groupadd_t self:capability { audit_write chown dac_override kill setuid sys_resource };
 dontaudit groupadd_t self:capability { fsetid sys_tty_config };
 allow groupadd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
 allow groupadd_t self:process { setrlimit setfscreate };
@@ -276,7 +276,7 @@ optional_policy(`
 # Passwd local policy
 #
 
-allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_nice sys_resource };
+allow passwd_t self:capability { chown dac_override fsetid setgid setuid sys_nice sys_resource };
 dontaudit passwd_t self:capability sys_tty_config;
 allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow passwd_t self:process { setrlimit setfscreate };
@@ -365,7 +365,7 @@ optional_policy(`
 # Password admin local policy
 #
 
-allow sysadm_passwd_t self:capability { chown dac_override fsetid setuid setgid sys_resource };
+allow sysadm_passwd_t self:capability { chown dac_override fsetid setgid setuid sys_resource };
 allow sysadm_passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow sysadm_passwd_t self:process { setrlimit setfscreate };
 allow sysadm_passwd_t self:fd use;
@@ -449,7 +449,7 @@ optional_policy(`
 # Useradd local policy
 #
 
-allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource };
+allow useradd_t self:capability { chown dac_override fowner fsetid kill setuid sys_resource };
 dontaudit useradd_t self:capability sys_tty_config;
 allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow useradd_t self:process setfscreate;
diff --git a/policy/modules/apps/seunshare.te b/policy/modules/apps/seunshare.te
index 75901658..dba409bd 100644
--- a/policy/modules/apps/seunshare.te
+++ b/policy/modules/apps/seunshare.te
@@ -15,7 +15,7 @@ role system_r types seunshare_t;
 # seunshare local policy
 #
 
-allow seunshare_t self:capability { setuid dac_override setpcap sys_admin };
+allow seunshare_t self:capability { dac_override setpcap setuid sys_admin };
 allow seunshare_t self:process { setexec signal getcap setcap };
 
 allow seunshare_t self:fifo_file rw_file_perms;
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index f82c792b..6babfb90 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -6849,7 +6849,7 @@ interface(`files_polyinstantiate_all',`
 	selinux_compute_member($1)
 
 	# Need sys_admin capability for mounting
-	allow $1 self:capability { chown fsetid sys_admin fowner };
+	allow $1 self:capability { chown fowner fsetid sys_admin };
 
 	# Need to give access to the directories to be polyinstantiated
 	allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
diff --git a/policy/modules/roles/auditadm.te b/policy/modules/roles/auditadm.te
index 0f02e914..bbc3527e 100644
--- a/policy/modules/roles/auditadm.te
+++ b/policy/modules/roles/auditadm.te
@@ -13,7 +13,7 @@ userdom_unpriv_user_template(auditadm)
 # Local policy
 #
 
-allow auditadm_t self:capability { dac_read_search dac_override };
+allow auditadm_t self:capability { dac_override dac_read_search };
 
 kernel_read_ring_buffer(auditadm_t)
 
diff --git a/policy/modules/roles/logadm.te b/policy/modules/roles/logadm.te
index 3a45a3ef..b524c0b5 100644
--- a/policy/modules/roles/logadm.te
+++ b/policy/modules/roles/logadm.te
@@ -14,6 +14,6 @@ userdom_base_user_template(logadm)
 # logadmin local policy
 #
 
-allow logadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice };
+allow logadm_t self:capability { dac_override dac_read_search kill sys_nice sys_ptrace };
 
 logging_admin(logadm_t, logadm_r)
diff --git a/policy/modules/roles/secadm.te b/policy/modules/roles/secadm.te
index 3d458944..763b71e1 100644
--- a/policy/modules/roles/secadm.te
+++ b/policy/modules/roles/secadm.te
@@ -15,7 +15,7 @@ userdom_security_admin_template(secadm_t, secadm_r)
 # Local policy
 #
 
-allow secadm_t self:capability { dac_read_search dac_override };
+allow secadm_t self:capability { dac_override dac_read_search };
 
 corecmd_exec_shell(secadm_t)
 
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
index 5b2508da..e21ce738 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -227,8 +227,8 @@ postgresql_view_object(user_sepgsql_view_t)
 #
 # postgresql Local policy
 #
-allow postgresql_t self:capability { kill dac_override dac_read_search chown fowner fsetid setuid setgid sys_nice sys_tty_config sys_admin };
-dontaudit postgresql_t self:capability { sys_tty_config sys_admin };
+allow postgresql_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid sys_admin sys_nice sys_tty_config };
+dontaudit postgresql_t self:capability { sys_admin sys_tty_config };
 allow postgresql_t self:process signal_perms;
 allow postgresql_t self:fifo_file rw_fifo_file_perms;
 allow postgresql_t self:file { getattr read };
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index 3fda8872..486339f0 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -56,7 +56,7 @@ template(`ssh_basic_client_template',`
 	# Client local policy
 	#
 
-	allow $1_ssh_t self:capability { setuid setgid dac_override dac_read_search };
+	allow $1_ssh_t self:capability { dac_override dac_read_search setgid setuid };
 	allow $1_ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 	allow $1_ssh_t self:fd use;
 	allow $1_ssh_t self:fifo_file rw_fifo_file_perms;
@@ -181,7 +181,7 @@ template(`ssh_server_template', `
 	type $1_var_run_t;
 	files_pid_file($1_var_run_t)
 
-	allow $1_t self:capability { kill sys_chroot sys_nice sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config };
+	allow $1_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_chroot sys_nice sys_resource sys_tty_config };
 	allow $1_t self:fifo_file rw_fifo_file_perms;
 	allow $1_t self:process { signal getsched setsched setrlimit setexec setkeycreate };
 	allow $1_t self:tcp_socket create_stream_socket_perms;
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 78b8b909..8c0b009f 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -99,7 +99,7 @@ ifdef(`distro_debian',`
 # SSH client local policy
 #
 
-allow ssh_t self:capability { setuid setgid dac_override dac_read_search };
+allow ssh_t self:capability { dac_override dac_read_search setgid setuid };
 allow ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow ssh_t self:fd use;
 allow ssh_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 9c1a0276..68014747 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -314,7 +314,7 @@ optional_policy(`
 # XDM Local policy
 #
 
-allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
+allow xdm_t self:capability { chown dac_override dac_read_search fowner fsetid ipc_owner kill mknod net_bind_service setgid setuid sys_nice sys_rawio sys_resource sys_tty_config };
 dontaudit xdm_t self:capability sys_admin;
 allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms };
 allow xdm_t self:fifo_file rw_fifo_file_perms;
@@ -637,7 +637,7 @@ allow xserver_t input_xevent_t:x_event send;
 # execheap needed until the X module loader is fixed.
 # NVIDIA Needs execstack
 
-allow xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
+allow xserver_t self:capability { dac_override fowner fsetid ipc_owner mknod net_bind_service setgid setuid sys_admin sys_nice sys_rawio sys_tty_config };
 dontaudit xserver_t self:capability chown;
 allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow xserver_t self:fd use;
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index 16bd0676..9d729671 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -28,7 +28,7 @@ files_type(swapfile_t)
 #
 
 # ipc_lock is for losetup
-allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_resource sys_tty_config dac_override dac_read_search };
+allow fsadm_t self:capability { dac_override dac_read_search ipc_lock sys_admin sys_rawio sys_resource sys_tty_config };
 allow fsadm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execmem execheap };
 allow fsadm_t self:fd use;
 allow fsadm_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
index af898997..69c2274d 100644
--- a/policy/modules/system/getty.te
+++ b/policy/modules/system/getty.te
@@ -33,7 +33,7 @@ files_pid_file(getty_var_run_t)
 #
 
 # Use capabilities.
-allow getty_t self:capability { dac_override chown setgid sys_admin sys_resource sys_tty_config fowner fsetid };
+allow getty_t self:capability { chown dac_override fowner fsetid setgid sys_admin sys_resource sys_tty_config };
 dontaudit getty_t self:capability sys_tty_config;
 allow getty_t self:process { getpgid setpgid getsession signal_perms };
 allow getty_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/system/hotplug.te b/policy/modules/system/hotplug.te
index 4572650b..8c7e5ff5 100644
--- a/policy/modules/system/hotplug.te
+++ b/policy/modules/system/hotplug.te
@@ -22,8 +22,8 @@ files_pid_file(hotplug_var_run_t)
 # Local policy
 #
 
-allow hotplug_t self:capability { net_admin sys_tty_config mknod sys_rawio };
-dontaudit hotplug_t self:capability { sys_module sys_admin sys_ptrace sys_tty_config };
+allow hotplug_t self:capability { mknod net_admin sys_rawio sys_tty_config };
+dontaudit hotplug_t self:capability { sys_admin sys_module sys_ptrace sys_tty_config };
 # for access("/etc/bashrc", X_OK) on Red Hat
 dontaudit hotplug_t self:capability { dac_override dac_read_search };
 allow hotplug_t self:process { setpgid getsession getattr signal_perms };
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index 68018111..72dd736b 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -80,7 +80,7 @@ role system_r types setkey_t;
 # ipsec Local policy
 #
 
-allow ipsec_t self:capability { chown dac_override dac_read_search setgid setuid setpcap net_admin sys_nice };
+allow ipsec_t self:capability { chown dac_override dac_read_search net_admin setgid setpcap setuid sys_nice };
 dontaudit ipsec_t self:capability { sys_ptrace sys_tty_config };
 allow ipsec_t self:process { getcap setcap getsched signal setsched };
 allow ipsec_t self:tcp_socket create_stream_socket_perms;
@@ -460,7 +460,7 @@ userdom_use_user_terminals(setkey_t)
 # ipsec_supervisor policy
 #
 
-allow ipsec_supervisor_t self:capability { dac_read_search dac_override kill net_admin };
+allow ipsec_supervisor_t self:capability { dac_override dac_read_search kill net_admin };
 allow ipsec_supervisor_t self:process { signal };
 allow ipsec_supervisor_t self:fifo_file rw_fifo_file_perms;
 allow ipsec_supervisor_t self:netlink_route_socket rw_netlink_socket_perms;
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index e062e44c..0380f55b 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -33,7 +33,7 @@ files_pid_file(iptables_var_run_t)
 # Iptables local policy
 #
 
-allow iptables_t self:capability { dac_read_search dac_override net_admin net_raw };
+allow iptables_t self:capability { dac_override dac_read_search net_admin net_raw };
 dontaudit iptables_t self:capability sys_tty_config;
 allow iptables_t self:fifo_file rw_fifo_file_perms;
 allow iptables_t self:process { sigchld sigkill sigstop signull signal };
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
index 8748ca83..174ba9f4 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -32,7 +32,7 @@ role system_r types sulogin_t;
 # Local login local policy
 #
 
-allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config };
+allow local_login_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config };
 allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow local_login_t self:process { setrlimit setexec };
 allow local_login_t self:fd use;
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index f7d3d698..ba463497 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -119,7 +119,7 @@ interface(`logging_set_tty_audit',`
 ## </param>
 #
 interface(`logging_set_audit_parameters',`
-	allow $1 self:capability { audit_write audit_control };
+	allow $1 self:capability { audit_control audit_write };
 	allow $1 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
 ')
 
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 9232f267..94be02e5 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -99,7 +99,7 @@ ifdef(`enable_mls',`
 # Auditctl local policy
 #
 
-allow auditctl_t self:capability { fsetid dac_read_search dac_override };
+allow auditctl_t self:capability { dac_override dac_read_search fsetid };
 allow auditctl_t self:process getcap;
 allow auditctl_t self:netlink_audit_socket nlmsg_readpriv;
 
@@ -275,7 +275,7 @@ optional_policy(`
 # Audit remote logger local policy
 #
 
-allow audisp_remote_t self:capability { setuid setpcap };
+allow audisp_remote_t self:capability { setpcap setuid };
 allow audisp_remote_t self:process { getcap setcap };
 allow audisp_remote_t self:tcp_socket create_socket_perms;
 allow audisp_remote_t var_log_t:dir search_dir_perms;
@@ -373,8 +373,8 @@ optional_policy(`
 # sys_admin for the integrated klog of syslog-ng and metalog
 # sys_nice for rsyslog
 # cjp: why net_admin!
-allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin sys_nice chown fsetid };
-dontaudit syslogd_t self:capability { sys_tty_config sys_ptrace };
+allow syslogd_t self:capability { chown dac_override fsetid net_admin sys_admin sys_nice sys_resource sys_tty_config };
+dontaudit syslogd_t self:capability { sys_ptrace sys_tty_config };
 # setpgid for metalog
 # setrlimit for syslog-ng
 # getsched for syslog-ng
@@ -503,7 +503,7 @@ userdom_dontaudit_search_user_home_dirs(syslogd_t)
 ifdef(`init_systemd',`
 	# systemd-journald permissions
 
-	allow syslogd_t self:capability { chown setuid setgid };
+	allow syslogd_t self:capability { chown setgid setuid };
 	allow syslogd_t self:netlink_audit_socket { getattr getopt read setopt write };
 
 	kernel_use_fds(syslogd_t)
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index 3dc2dcac..e04fb18a 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -50,7 +50,7 @@ files_tmp_file(lvm_tmp_t)
 # Cluster LVM daemon local policy
 #
 
-allow clvmd_t self:capability { sys_nice chown ipc_lock sys_admin mknod };
+allow clvmd_t self:capability { chown ipc_lock mknod sys_admin sys_nice };
 dontaudit clvmd_t self:capability sys_tty_config;
 allow clvmd_t self:process { signal_perms setsched };
 dontaudit clvmd_t self:process ptrace;
@@ -169,7 +169,7 @@ optional_policy(`
 # DAC overrides and mknod for modifying /dev entries (vgmknodes)
 # rawio needed for dmraid
 # net_admin for multipath
-allow lvm_t self:capability { dac_override fowner ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio net_admin };
+allow lvm_t self:capability { chown dac_override fowner ipc_lock mknod net_admin sys_admin sys_nice sys_rawio sys_resource };
 dontaudit lvm_t self:capability sys_tty_config;
 allow lvm_t self:process { sigchld sigkill sigstop signull signal setfscreate };
 # LVM will complain a lot if it cannot set its priority.
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index fc25ee03..c3fbad5d 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -42,7 +42,7 @@ application_domain(unconfined_mount_t, mount_exec_t)
 #
 
 # setuid/setgid needed to mount cifs
-allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid };
+allow mount_t self:capability { chown dac_override ipc_lock setgid setuid sys_admin sys_rawio sys_tty_config };
 allow mount_t self:process signal;
 # zfs list uses pipes
 allow mount_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index ed153758..cda88f5a 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -220,7 +220,7 @@ optional_policy(`
 # Newrole local policy
 #
 
-allow newrole_t self:capability { fowner setuid setgid dac_override };
+allow newrole_t self:capability { dac_override fowner setgid setuid };
 allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
 allow newrole_t self:process setexec;
 allow newrole_t self:fd use;
@@ -444,7 +444,7 @@ optional_policy(`
 # semodule local policy
 #
 
-allow semanage_t self:capability { dac_override audit_write };
+allow semanage_t self:capability { audit_write dac_override };
 allow semanage_t self:unix_stream_socket create_stream_socket_perms;
 allow semanage_t self:unix_dgram_socket create_socket_perms;
 allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 83112b03..9518a23d 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -47,8 +47,8 @@ ifdef(`distro_debian',`
 #
 # DHCP client local policy
 #
-allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service setpcap sys_nice sys_resource sys_tty_config };
-dontaudit dhcpc_t self:capability { sys_tty_config sys_ptrace sys_admin };
+allow dhcpc_t self:capability { dac_override fsetid net_admin net_bind_service net_raw setpcap sys_nice sys_resource sys_tty_config };
+dontaudit dhcpc_t self:capability { sys_admin sys_ptrace sys_tty_config };
 # for access("/etc/bashrc", X_OK) on Red Hat
 dontaudit dhcpc_t self:capability { dac_read_search sys_module };
 allow dhcpc_t self:process { getsched getcap setcap setfscreate ptrace signal_perms };
@@ -270,7 +270,7 @@ optional_policy(`
 # Ifconfig local policy
 #
 
-allow ifconfig_t self:capability { net_raw net_admin sys_admin sys_tty_config };
+allow ifconfig_t self:capability { net_admin net_raw sys_admin sys_tty_config };
 dontaudit ifconfig_t self:capability sys_module;
 allow ifconfig_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
 allow ifconfig_t self:fd use;
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index d16a3804..4bd7f9b3 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -230,7 +230,7 @@ optional_policy(`
 # Logind local policy
 #
 
-allow systemd_logind_t self:capability { fowner sys_tty_config chown dac_override };
+allow systemd_logind_t self:capability { chown dac_override fowner sys_tty_config };
 allow systemd_logind_t self:process getcap;
 allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms;
 allow systemd_logind_t self:unix_dgram_socket create_socket_perms;
@@ -336,7 +336,7 @@ systemd_log_parse_environment(systemd_sessions_t)
 # Tmpfiles local policy
 #
 
-allow systemd_tmpfiles_t self:capability  { fowner chown fsetid dac_override mknod };
+allow systemd_tmpfiles_t self:capability  { chown dac_override fowner fsetid mknod };
 allow systemd_tmpfiles_t self:process { setfscreate getcap };
 
 kernel_read_kernel_sysctls(systemd_tmpfiles_t)
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index d42ac73d..e0405fb1 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -38,7 +38,7 @@ ifdef(`enable_mcs',`
 # Local policy
 #
 
-allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice sys_ptrace };
+allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid mknod net_admin net_raw setgid setuid sys_admin sys_nice sys_nice sys_ptrace sys_rawio sys_resource };
 dontaudit udev_t self:capability sys_tty_config;
 allow udev_t self:capability2 block_suspend;
 allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap };
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 5c304f59..334759e8 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -848,8 +848,8 @@ template(`userdom_login_user_template', `
 	# User domain Local policy
 	#
 
-	allow $1_t self:capability { setgid chown fowner };
-	dontaudit $1_t self:capability { sys_nice fsetid };
+	allow $1_t self:capability { chown fowner setgid };
+	dontaudit $1_t self:capability { fsetid sys_nice };
 
 	allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap };
 	dontaudit $1_t self:process setrlimit;
@@ -1193,7 +1193,7 @@ template(`userdom_admin_user_template',`
 	# $1_t local policy
 	#
 
-	allow $1_t self:capability ~{ sys_module audit_control audit_write };
+	allow $1_t self:capability ~{ audit_control audit_write sys_module };
 	allow $1_t self:process { setexec setfscreate };
 	allow $1_t self:netlink_audit_socket nlmsg_readpriv;
 	allow $1_t self:tun_socket create;
@@ -1336,7 +1336,7 @@ template(`userdom_admin_user_template',`
 ## </param>
 #
 template(`userdom_security_admin_template',`
-	allow $1 self:capability { dac_read_search dac_override };
+	allow $1 self:capability { dac_override dac_read_search };
 
 	corecmd_exec_shell($1)
author	Chris PeBenito <pebenito@ieee.org>	2017-02-15 18:47:33 -0500
committer	Jason Zaman <jason@perfinion.com>	2017-02-17 16:13:38 +0800
commit	b8090bfeb7461011bfbbfc43d47caab6fc863d3d (patch)
tree	6506d53221c4d5a0ca619d4cacbf4c861acccd84 /policy/modules
parent	inherited file and fifo perms (diff)
download	hardened-refpolicy-b8090bfeb7461011bfbbfc43d47caab6fc863d3d.tar.gz hardened-refpolicy-b8090bfeb7461011bfbbfc43d47caab6fc863d3d.tar.bz2 hardened-refpolicy-b8090bfeb7461011bfbbfc43d47caab6fc863d3d.zip