From cd62a4a56a5a0cec5268e343e19561b4ddd569b4 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Tue, 14 Jan 2020 14:27:45 -0500
Subject: [PATCH] access_vectors: re-organize common file perms

The open, audit_access, execmod, and watch* permissions
are all defined in the COMMON_FILE_PERMS in the kernel
classmap and inherited by all the file-related classes;
we can do the same in the policy by putting them into the
common file declaration.

refpolicy recently similarly reorganized its definitions and added the
watch* permissions to common file, see:
https://github.com/SELinuxProject/refpolicy/commit/e5dbe7527690d95cced0e58052746fb59d9321c7
https://github.com/SELinuxProject/refpolicy/commit/c656b97a289ce6c2da2871700384f0f9d831be18
https://github.com/SELinuxProject/refpolicy/commit/3952ecb4dd4435c8e017a0d2733ba49b02730764

Adding new permissions to the end of the existing classes was only
required for kernels that predate the dynamic class/perm mapping
support (< v2.6.33).

Test: policy still builds

Change-Id: I44a2c3a94c21ed23410b6f807af7f1179e2c1747
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 private/access_vectors | 72 +++++-------------------------------------
 1 file changed, 8 insertions(+), 64 deletions(-)

diff --git a/private/access_vectors b/private/access_vectors
index 8c6aa68b6..cd1ad12fa 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -27,6 +27,14 @@ common file
 	execute
 	quotaon
 	mounton
+	audit_access
+	open
+	execmod
+	watch
+	watch_mount
+	watch_sb
+	watch_with_perm
+	watch_reads
 }
 
 
@@ -164,14 +172,6 @@ inherits file
 	reparent
 	search
 	rmdir
-	open
-	audit_access
-	execmod
-	watch
-	watch_mount
-	watch_sb
-	watch_with_perm
-	watch_reads
 }
 
 class file
@@ -179,82 +179,26 @@ inherits file
 {
 	execute_no_trans
 	entrypoint
-	execmod
-	open
-	audit_access
-	watch
-	watch_mount
-	watch_sb
-	watch_with_perm
-	watch_reads
 }
 
 class lnk_file
 inherits file
-{
-	open
-	audit_access
-	execmod
-	watch
-	watch_mount
-	watch_sb
-	watch_with_perm
-	watch_reads
-}
 
 class chr_file
 inherits file
 {
 	execute_no_trans
 	entrypoint
-	execmod
-	open
-	audit_access
-	watch
-	watch_mount
-	watch_sb
-	watch_with_perm
-	watch_reads
 }
 
 class blk_file
 inherits file
-{
-	open
-	audit_access
-	execmod
-	watch
-	watch_mount
-	watch_sb
-	watch_with_perm
-	watch_reads
-}
 
 class sock_file
 inherits file
-{
-	open
-	audit_access
-	execmod
-	watch
-	watch_mount
-	watch_sb
-	watch_with_perm
-	watch_reads
-}
 
 class fifo_file
 inherits file
-{
-	open
-	audit_access
-	execmod
-	watch
-	watch_mount
-	watch_sb
-	watch_with_perm
-	watch_reads
-}
 
 class fd
 {