Remove complement and wildcard in allow rules.

Remove complement (~) and wildcard (*) in allow rules so that there are no
unintentional additions when new permissions are declared.

This patch does not add or remove permissions from any rules.

3 files changed, 7 insertions, 12 deletions

diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te
index d9663044b..bf6099615 100644
--- a/policy/modules/admin/consoletype.te
+++ b/policy/modules/admin/consoletype.te
@@ -16,7 +16,7 @@ init_system_domain(consoletype_t, consoletype_exec_t)
 #
 
 allow consoletype_t self:capability { sys_admin sys_tty_config };
-allow consoletype_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow consoletype_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
 allow consoletype_t self:fd use;
 allow consoletype_t self:fifo_file rw_fifo_file_perms;
 allow consoletype_t self:sock_file read_sock_file_perms;
diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index eece2a3b5..ac8c688aa 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -53,7 +53,7 @@ template(`sudo_role_template',`
 
 	# Use capabilities.
 	allow $1_sudo_t self:capability { chown dac_override fowner setgid setuid sys_nice sys_resource };
-	allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+	allow $1_sudo_t self:process { signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr getrlimit rlimitinh siginh transition setsockcreate dyntransition noatsecure setkeycreate };
 	allow $1_sudo_t self:process { setexec setrlimit };
 	allow $1_sudo_t self:fd use;
 	allow $1_sudo_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index 4db2838a5..25e34b72d 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -70,8 +70,7 @@ role useradd_roles types useradd_t;
 #
 
 allow chfn_t self:capability { chown dac_override fsetid setgid setuid sys_resource };
-allow chfn_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
-allow chfn_t self:process { setrlimit setfscreate };
+allow chfn_t self:process { transition sigkill sigstop signull signal getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
 allow chfn_t self:fd use;
 allow chfn_t self:fifo_file rw_fifo_file_perms;
 allow chfn_t self:sock_file read_sock_file_perms;
@@ -191,8 +190,7 @@ optional_policy(`
 
 allow groupadd_t self:capability { audit_write chown dac_override fsetid kill setuid sys_resource };
 dontaudit groupadd_t self:capability { fsetid sys_tty_config };
-allow groupadd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
-allow groupadd_t self:process { setrlimit setfscreate };
+allow groupadd_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
 allow groupadd_t self:fd use;
 allow groupadd_t self:fifo_file rw_fifo_file_perms;
 allow groupadd_t self:shm create_shm_perms;
@@ -278,8 +276,7 @@ optional_policy(`
 
 allow passwd_t self:capability { chown dac_override fsetid setgid setuid sys_nice sys_resource };
 dontaudit passwd_t self:capability sys_tty_config;
-allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
-allow passwd_t self:process { setrlimit setfscreate };
+allow passwd_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
 allow passwd_t self:fd use;
 allow passwd_t self:fifo_file rw_fifo_file_perms;
 allow passwd_t self:sock_file read_sock_file_perms;
@@ -366,8 +363,7 @@ optional_policy(`
 #
 
 allow sysadm_passwd_t self:capability { chown dac_override fsetid setgid setuid sys_resource };
-allow sysadm_passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
-allow sysadm_passwd_t self:process { setrlimit setfscreate };
+allow sysadm_passwd_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
 allow sysadm_passwd_t self:fd use;
 allow sysadm_passwd_t self:fifo_file rw_fifo_file_perms;
 allow sysadm_passwd_t self:sock_file read_sock_file_perms;
@@ -451,8 +447,7 @@ optional_policy(`
 
 allow useradd_t self:capability { chown dac_override fowner fsetid kill setuid sys_resource };
 dontaudit useradd_t self:capability sys_tty_config;
-allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
-allow useradd_t self:process setfscreate;
+allow useradd_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
 allow useradd_t self:fd use;
 allow useradd_t self:fifo_file rw_fifo_file_perms;
 allow useradd_t self:shm create_shm_perms;